WEB APPLICATION VULNERABILITIES Standard & Premium

Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2023-40035)

Description

Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.

Remediation

References

Related Vulnerabilities

WordPress Plugin User Login Log Cross-Site Scripting (2.2.2)

Atlassian Confluence Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-29450)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-18100)

PrestaShop Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-30838)

Oracle Database Server Other Vulnerability (CVE-2006-3704)

Severity

High

Classification

CVE-2023-40035 CWE-138 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities