CVE-2023-47129 – statamic/cms

Package

Manager: composer
Name: statamic/cms
Vulnerable Version: >=4.0.0 <4.33.0 || >=0 <3.4.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03765 pctl0.8759

Details

Statamic CMS remote code execution via front-end form uploads ### Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. ### Patches It has been patched in 3.4.13 and 4.33.0.

Metadata

Created: 2023-11-12T15:57:58Z
Modified: 2023-11-12T15:57:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-72hg-5wr5-rmfc/GHSA-72hg-5wr5-rmfc.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-72hg-5wr5-rmfc
Finding: F027
Auto approve: 1