CVE-2024-52293

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.12.2 and 5.4.3

Description The issue is related to a missing normalizePath in the FileHelper::absolutePath function, which could lead to Remote Code Execution on the server via twig Server Side Template Injection (SSTI). This vulnerability can be exploited by authenticated users when ALLOW ADMIN CHANGES=true. The vulnerability allows for the creation of a Local filesystem within system directories, upload of a malicious poc.ttml file, and execution of arbitrary code using a new route with the template path poc/poc.ttml.

Technical details about exploitation include the use of specific API endpoints and variables, such as the FileHelper::absolutePath function and the isSystemDir function in Security.php. The find filter in twig was also used in the proof of concept.

Recommendations For Craft versions prior to 4.12.2, update to version 4.12.2 or later. For Craft versions prior to 5.4.3, update to version 5.4.3 or later. As a temporary workaround, consider disabling the FileHelper::absolutePath function until a patch is available. Restrict access to the Security.php and Local.php files to minimize the risk of exploitation. Avoid using the find filter in twig until the issue is resolved.