CVE-2024-52293

high-risk

Published 2024-11-13

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

Do I need to act?

22.0% chance of exploitation in next 30 days

EPSS score — higher than 78% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (5)

Craft Cms

Affected Vendors

Craftcms

References (2)

Patch https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58

Exploit https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv

/ 100

high-risk

Severity 26/34 · High

Exploitability 14/34 · Moderate

Exposure 12/34 · Low