CVE-2023-47129 HIGH

CVE-2023-47129: Statamic CMS remote code execution via front-end form uploads

Vendor Statamic
Product cms
Weakness CWE-434 · Unrestricted file upload
Published November 10, 2023
Last update September 3, 2024

CVSS base score

8.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.

Key dates

02Disclosure timeline

November 10, 2023 CVE published
September 3, 2024 Record updated