VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 30, 2021· Updated Aug 3, 2024

CVE-2021-27903

CVE-2021-27903

Description

An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS before 3.6.7 allowed admin session hijackers to set a Local volume path to a system directory, potentially enabling remote code execution.

Vulnerability

In Craft CMS before version 3.6.7, a Local volume's path could be set to a system directory (e.g., templates, config) [2]. This allowed an attacker with administrative session access to potentially achieve remote code execution by placing malicious files in system directories [1].

Exploitation

An attacker needs to hijack an administrator's session. Then, they can modify a Local volume's path to point to a system directory, such as the templates directory, and upload or write files that could be executed by the server [2].

Impact

Successful exploitation could lead to remote code execution on the server, giving the attacker full control of the application and underlying system [1].

Mitigation

The issue is fixed in Craft CMS 3.6.7, released on 2021-02-23 [4]. The fix adds validation to prevent Local volumes from being set to system directories [2]. Users should upgrade to at least version 3.6.7. No workaround is available; upgrading is required.

References
  1. NVD - CVE-2021-27903
  2. Don’t allow pointing a Local volume to a system directory · craftcms/cms@c17728f
  3. cms/CHANGELOG.md at 5.x · craftcms/cms

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
< 3.6.73.6.7

Affected products

2

Patches

1
c17728fa0bec

Don’t allow pointing a Local volume to a system directory

https://github.com/craftcms/cmsbrandonkellyFeb 16, 2021via ghsa
commit
2 files changed · +56 0
  • CHANGELOG.md+3 0 modified
    @@ -10,6 +10,9 @@
 - Adjusted GraphQL complexity values for relational fields.
 - Updated Composer to 2.0.9.
 
+### Security
+- It’s no longer possible to save a Local volume with the File System Path setting set to a system directory (e.g. the `templates/` or `vendor/` folders).
+
 ## 3.6.6 - 2021-02-15
 
 ### Added
  • src/volumes/Local.php+53 0 modified
    @@ -12,6 +12,7 @@
 use League\Flysystem\Adapter\Local as LocalAdapter;
 use League\Flysystem\FileExistsException;
 use League\Flysystem\FileNotFoundException;
+use yii\validators\InlineValidator;
 
 /**
  * The local volume class. Handles the implementation of the local filesystem as a volume in
@@ -58,9 +59,61 @@ protected function defineRules(): array
     {
         $rules = parent::defineRules();
         $rules[] = [['path'], 'required'];
+        $rules[] = [['path'], 'validatePath'];
         return $rules;
     }
 
+    /**
+     * @param string $attribute
+     * @param array|null $params
+     * @param InlineValidator $validator
+     * @param string $path
+     * @return void
+     * @since 3.6.7
+     */
+    public function validatePath(string $attribute, ?array $params, InlineValidator $validator, string $path): void
+    {
+        if ($created = !file_exists($path)) {
+            FileHelper::createDirectory($path);
+        }
+
+        $path = realpath($this->getRootPath());
+
+        if ($path === false) {
+            return;
+        }
+
+        // Make sure it’s not within any of the system directories
+        $pathService = Craft::$app->getPath();
+        $systemDirs = [
+            Craft::getAlias('@contentMigrations'),
+            Craft::getAlias('@lib'),
+            $pathService->getComposerBackupsPath(false),
+            $pathService->getConfigBackupPath(false),
+            $pathService->getConfigDeltaPath(false),
+            $pathService->getConfigPath(),
+            $pathService->getDbBackupPath(false),
+            $pathService->getLogPath(false),
+            $pathService->getRebrandPath(false),
+            $pathService->getRuntimePath(false),
+            $pathService->getSiteTemplatesPath(),
+            $pathService->getSiteTranslationsPath(),
+            $pathService->getTestsPath(),
+            $pathService->getVendorPath(),
+        ];
+
+        foreach ($systemDirs as $dir) {
+            $dir = realpath($dir);
+            if ($dir !== false && strpos($path . DIRECTORY_SEPARATOR, $dir . DIRECTORY_SEPARATOR) === 0) {
+                $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
+                if ($created) {
+                    FileHelper::removeDirectory($path);
+                }
+                break;
+            }
+        }
+    }
+
     /**
      * @inheritdoc
      */

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.