CVE-2023-30179

Name of the Vulnerable Software and Affected Versions CraftCMS version 3.7.59

Description The issue concerns Server-Side Template Injection (SSTI), where an authenticated attacker can inject Twig Template into the User Photo Location field in User Settings, potentially leading to Remote Code Execution. However, the vendor disputes this vulnerability, stating that only Administrators can add this Twig code and are allowed to do so by design. The maintainers of Craft CMS also note that administrators have legitimate business needs for their permissions and that the underlying issue likely has little to no real-world security impact.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.