Description

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.

Remediation

References

CVE-2023-30179

Related Vulnerabilities

MySQL Other Vulnerability (CVE-2003-0780)

XWiki Improper Handling of Insufficient Privileges Vulnerability (CVE-2024-21648)

Ruby Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1005)

Internet Information Services Other Vulnerability (CVE-2002-1695)

WordPress Plugin Advanced Custom Fields PRO Arbitrary File Upload (5.12.2)

Severity

High

Classification

CVE-2023-30179 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities