CVE-2024-52292

Published: Nov 13, 2024Modified: Nov 19, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowing the attacker to read arbitrary files on the server. This is fixed in 5.4.9 and 4.12.8.

Affected (2)

Products: Craftcms: Craft Cms

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Craftcms Craft Cms	From 3.5.13 to 4.12.8
Craftcms Craft Cms	From 5.0.0 to 5.4.9

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (1)

https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.