CVE-2024-52293
EUVD-2024-324113.11.2024, 16:15
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| craftcms | craft_cms | 4.0.0 < 𝑥 < 4.12.2 |
| craftcms | craft_cms | 5.0.0 < 𝑥 < 5.4.3 |
| craftcms | craft_cms | 4.0.0:rc1 |
| craftcms | craft_cms | 4.0.0:rc2 |
| craftcms | craft_cms | 4.0.0:rc3 |
| craftcms | craft_cms | 5.0.0:rc1 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| craftcms | craft_cms | 𝑥 ≤ 4.0.0-RC1 | ADP |
| craftcms | craft_cms | 𝑥 < 4.12.2 | ADP |
| craftcms | craft_cms | 𝑥 ≤ 5.0.0-RC1 | ADP |
| craftcms | craft_cms | 𝑥 < 5.4.3 | ADP |