VYPR
High severityNVD Advisory· Published Nov 13, 2024· Updated Nov 13, 2024

Craft has a Potential Remote Code Execution via missing path normalization & Twig SSTI

CVE-2024-52293

Description

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 4.0.0-RC1, < 4.12.24.12.2
craftcms/cmsPackagist
>= 5.0.0-RC1, < 5.4.35.4.3

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.