CVE-2023-30179
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
13/06/2023
Last modified:
03/01/2025
Description
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:craftcms:craft_cms:3.7.59:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200
- https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200