CVE-2023-47129

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.3 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
GitHub_MCNA
8.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
statamicstatamic
𝑥
< 3.4.13
statamicstatamic
4.0.0 ≤
𝑥
< 4.33.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc