Description

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.

Remediation

References

CVE-2023-30179

Related Vulnerabilities

WordPress Plugin Flip Book 'php.php' Arbitrary File Upload (1.0)

OpenSSL Improper Authentication Vulnerability (CVE-2009-0591)

OpenSSL Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1473)

WordPress Plugin Conversador Cross-Site Scripting (2.61)

WordPress Plugin Simple Behance Portfolio Cross-Site Scripting (0.2)

Severity

High

Classification

CVE-2023-30179 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities