Vulnerability Description
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | >= 3.0.0, < 3.8.15 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5Patch
- https://github.com/craftcms/cms/releases/tag/3.8.15Release Notes
- https://github.com/craftcms/cms/releases/tag/4.4.15Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phwExploitVendor Advisory
- https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5Patch
- https://github.com/craftcms/cms/releases/tag/3.8.15Release Notes
- https://github.com/craftcms/cms/releases/tag/4.4.15Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phwExploitVendor Advisory
FAQ
What is CVE-2023-40035?
CVE-2023-40035 is a vulnerability with a CVSS score of 7.2 (HIGH). Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious ...
How severe is CVE-2023-40035?
CVE-2023-40035 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40035?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.