CVE-2023-32679

Name of the Vulnerable Software and Affected Versions Craft CMS versions prior to 4.4.6

Description The issue is related to an unrestricted file extension that may lead to Remote Code Execution. In the View.php's doesTemplateExist() -> resolveTemplate() -> resolveTemplateInternal() -> resolveTemplate() function, if the name parameter value is not an empty string, it returns directly without extension verification, allowing arbitrary extension files to be rendered as twig templates. An attacker with admin privileges on a DEV or improperly configured STG or PROD environment can exploit this vulnerability to achieve remote code execution, potentially granting access to the host operating system. There are 371 domains using CraftCMS exposed on Shodan, with 33 servers having "stage" or "dev" included in their hostnames, indicating a potential security threat.

Recommendations For Craft CMS versions prior to 4.4.6, upgrade to version 4.4.6 to address the issue. As a temporary workaround, consider adding extension verification in the resolveTemplateInternal() function to prevent rendering of arbitrary extension files as twig templates.