CVE-2023-41892: Craft CMS Remote Code Execution vulnerability
First published: Wed Sep 13 2023(Updated: )
### Impact This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. ### Mitigations * This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version. * Refresh your security key in case it has already been captured. You can do that by running the `php craft setup/security-key` command and copying the updated `CRAFT_SECURITY_KEY` environment variable to all production environments. * If you have any other private keys stored as environment variables (e.g., S3 or Stripe), refresh those as well. * Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database was compromised. You can do that by running `php craft resave/users --set passwordResetRequired --to "fn() => true"`. ### References https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476 https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857 https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/craftcms/cms | >=4.0.0-RC1<=4.4.14 | 4.4.15 |
| CraftCMS Craft CMS | >=4.4.0<4.4.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
- https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857
- https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e
- https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1
- https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476
- https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
- http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-41892
- https://github.com/advisories/GHSA-4w8r-3xrw-v25g (Advisory)
Frequently Asked Questions
What is CVE-2023-41892?
CVE-2023-41892 is a vulnerability in Craft CMS that allows for a high-impact, low-complexity attack.
How severe is CVE-2023-41892?
CVE-2023-41892 is considered critical with a severity value of 10.
How do I mitigate CVE-2023-41892?
To mitigate CVE-2023-41892, users running Craft installations before version 4.4.15 should update to at least that version.
Where can I find more information about CVE-2023-41892?
You can find more information about CVE-2023-41892 in the Craft CMS CHANGELOG and commit history on GitHub, provided in the references.
What is the Common Weakness Enumeration (CWE) for CVE-2023-41892?
The Common Weakness Enumeration (CWE) for CVE-2023-41892 is CWE-94.
- collector/github-advisory-latest
- alias/GHSA-4w8r-3xrw-v25g
- alias/CVE-2023-41892
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/author
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- package-manager/composer
- vendor/craftcms
- canonical/craftcms craft cms
- version/craftcms craft cms/4.4.0