Vulnerability Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. Traversal outside an asset container is not possible. This path traversal vulnerability has been fixed in 5.17.0.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
- https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
- https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
- https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
FAQ
What is CVE-2024-52600?
CVE-2024-52600 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location diff...
How severe is CVE-2024-52600?
CVE-2024-52600 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52600?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.