Yuma4869

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.x through 5.9.12 **Description** Craft CMS contains a Remote Code Execution (RCE) issue that bypasses previous security fixes. This allows any authenticated user with control panel access to potentially execute arbitrary code. The issue stems from insufficient sanitization of the `fieldLayouts` parameter in the `ElementIndexesController::actionFilterHud()` function, which is passed directly to `FieldLayout::createFromConfig()` without proper cleansing. Specifically, the `fieldLayouts` parameter is not processed with `cleanseConfig()`, unlike the `conditionConfig` parameter. This enables the injection of Yii2 behavior/event keys (such as "as" and "on" prefixed keys), leading to the instantiation of arbitrary objects and ultimately, the execution of shell commands via a chain of events involving `Component:: get()`, `call user func()`, and `shell exec()`. **Recommendations** Craft CMS versions 4.x through 5.9.12 should be updated to version 5.9.13 or later.