CVE-2023-47129
8.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just any arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| statamic | cms | < 3.4.13 | affected |
| statamic | cms | >= 4.0.0, < 4.33.0 | affected |
Weaknesses
- CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
- https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
- https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
- https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
- https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.