10 Nov 2023
Vulnérabilité CVE-2023-47129 CVE Vulnerability
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0. (CVSS:8.3) (Last Update:2023-11-10 19:15:17)
Vulnerability Details :
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
Exploit prediction scoring system (EPSS) score for CVE-2023-47129
We don't have an EPSS score for this CVE yet EPSS FAQ
CVSS scores for CVE-2023-47129
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
---|---|---|---|---|---|
8.3 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | 1.6 | 6.0 | Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. |
CWE ids for CVE-2023-47129
- The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Assigned by: Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. (Secondary)
References for CVE-2023-47129
- https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75 Front-end form asset field php file validation (#8971) · statamic/cms@098ef80 · GitHub
- https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc Remote code execution via front-end form uploads · Advisory · statamic/cms · GitHub
- https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77 [4.x] Front-end form asset field php file validation (#8968) · statamic/cms@f6c6881 · GitHub