CVE-2023-47129

Published: Nov 10, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.

Affected (2)

Products: Statamic: Statamic

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Statamic Statamic	Before 3.4.13
Statamic Statamic	From 4.0.0 to 4.33.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75

Source: security-advisories@github.com

Patch

https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77

Source: security-advisories@github.com

Patch

https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc

Source: security-advisories@github.com

Vendor Advisory

https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.