Rlarabee

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.10.3 Craft Commerce versions prior to 5.5.5 Description An SQL injection exists in the Commerce TotalRevenue widget. This allows authenticated control panel users to achieve remote code execution through a four-step chain. The issue occurs when unsanitized widget settings are interpolated into SQL expressions, utilizing PDO's default multi-statement query support to inject a serialized PHP object into the queue table. When the queue consumer processes the job, an unrestricted `unserialize()` call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain, where the ` destruct()` method writes a PHP webshell to the server's webroot. Queue processing is triggered via an unauthenticated endpoint. Recommendations Update to version 4.10.3. Update to version 5.5.5.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 4.11.0 and 5.6.0 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains an Insecure Direct Object Reference (IDOR) issue within its cart functionality. This allows users to potentially hijack shopping carts by knowing or guessing the 32-character cart number. The `CartController` accepts a user-supplied `number` parameter to load and modify shopping carts, but performs no ownership validation. The code only verifies if the order exists and is incomplete, without checking if the requester is authorized to access it. This can lead to the takeover of shopping sessions and potential exposure of Personally Identifiable Information (PII). The issue stems from the lack of authorization checks in the `actionLoadCart()` and ` getCart()` functions within the `CartController`. Specifically, the code retrieves carts using the `Order::find()->number($number)->isCompleted(false)->one()` query without verifying user permissions. Attack vectors for obtaining cart numbers include referrer header leakage, browser history access, proxy/WAF logs, social engineering, and brute-force attempts. **Recommendations** Craft Commerce versions prior to 4.11.0 should be updated to version 4.11.0 or later. Craft Commerce versions prior to 5.6.0 should be updated to version 5.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions prior to 5.9.0-beta.2 and versions prior to 4.17.0-beta.2 **Description** Craft is a content management system. The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and lacks permission checks for pending users. An attacker can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. The issue stems from the endpoint accepting arbitrary `userId` parameters without verifying ownership. Attack scenarios include targeted account takeover, user ID brute-force enumeration, leveraging GraphQL for user information, and potential email spam or harassment. The `userId` parameter is retrieved using the `getRequiredBodyParam()` function. **Recommendations** Update to Craft CMS version 5.9.0-beta.2 or later. Update to Craft CMS version 4.17.0-beta.2 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 5.8.22 Craft versions prior to 4.16.18 **Description** Craft, a content management system (CMS), is susceptible to Remote Code Execution (RCE) through a Server-Side Template Injection (SSTI) issue. A malicious payload can be crafted using the Twig `map` filter within text fields that accept Twig input. This is possible in the Settings section of the Craft control panel or through the System Messages utility. To successfully exploit this, an attacker must have administrator access to the Craft Control Panel with the `allowAdminChanges` setting enabled, or a non-administrator account with `allowAdminChanges` disabled but access to the System Messages utility. The `allowAdminChanges` setting controls whether non-administrator users can modify settings within the Craft control panel. **Recommendations** Craft versions prior to 5.8.22 should be updated to version 5.8.22. Craft versions prior to 4.16.18 should be updated to version 4.16.18.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.16.17 Craft CMS versions 5.0.0-RC1 through 5.8.21 **Description** A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` does not properly sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations, potentially executing arbitrary system commands on the server. This is an unpatched variant of a behavior injection issue previously addressed in a different set of endpoints. The vulnerability is located in the `assembleLayoutFromPost()` function, specifically lines 1125-1143 of the `src/services/Fields.php` file, due to a missing call to `cleanseConfig()` on the `fieldLayout` POST parameter. The attack involves injecting a behavior using the 'as rce' key in the `fieldLayout` JSON POST parameter, which then triggers command execution when the model is validated. The vulnerability affects multiple admin controllers, including `TagsController`, `CategoriesController`, `EntryTypesController`, `GlobalsController`, `VolumesController`, `UsersController`, and `AddressesController`. **Recommendations** Craft CMS versions 4.0.0-RC1 through 4.16.17 should be updated to version 5.8.22 or later. Craft CMS versions 5.0.0-RC1 through 5.8.21 should be updated to version 5.8.22 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22 **Description** Craft is a content management system (CMS). The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, bypassing SSRF protection. This bypasses a previous security fix. Exploitation requires GraphQL schema permissions for editing assets in the `VolumeName` volume and creating assets in the `VolumeName` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). The vulnerable component is the GraphQL Asset mutation. **Recommendations** Update to Craft version 4.16.19 or later. Update to Craft version 5.8.23 or later.