CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
craftcmscraft_cms
3.7.59
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714
https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200
https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714
https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200