Описание
Craft CMS Potential Remote Code Execution via Twig SSTI
Note that users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Note: This is a follow-up to GHSA-f3cw-hg6r-chfv
Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.
Resources: https://github.com/craftcms/cms/pull/17612
Ссылки
- https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc
- https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
- https://nvd.nist.gov/vuln/detail/CVE-2025-57811
- https://github.com/craftcms/cms/pull/17612
- https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc
Пакеты
craftcms/cms
>= 4.0.0-RC1, <= 4.16.5
4.16.6
craftcms/cms
>= 5.0.0-RC1, <= 5.8.6
5.8.7
Связанные уязвимости
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.