Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory.
Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Craftcms Craft_Cms
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
|
5.6.0
|
5.9.11
|
References 3
https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j
security-advisories@github.com