CVE-2023-47129: Statamic CMS remote code execution via front-end form uploads
First published: Fri Nov 10 2023(Updated: )
### Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. ### Patches It has been patched in 3.4.13 and 4.33.0.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/statamic/cms | <3.4.13 | 3.4.13 |
| composer/statamic/cms | >=4.0.0<4.33.0 | 4.33.0 |
| Statamic Statamic | <3.4.13 | |
| Statamic Statamic | >=4.0.0<4.33.0 | |
| <3.4.13 | ||
| >=4.0.0<4.33.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
- https://nvd.nist.gov/vuln/detail/CVE-2023-47129
- https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
- https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
- https://github.com/advisories/GHSA-72hg-5wr5-rmfc (Advisory)
Frequently Asked Questions
What is CVE-2023-47129?
CVE-2023-47129 is a vulnerability in the Statamic CMS that allows for remote code execution via front-end form uploads.
How does CVE-2023-47129 affect Statamic CMS?
CVE-2023-47129 affects Statamic CMS versions prior to 3.4.13 and 4.33.0.
What is the severity level of CVE-2023-47129?
CVE-2023-47129 has a severity level of high (8.4).
How can I fix CVE-2023-47129?
To fix CVE-2023-47129, update Statamic CMS to versions 3.4.13 or 4.33.0 or later.
What is the CWE associated with CVE-2023-47129?
The CWE associated with CVE-2023-47129 is CWE-434.
- collector/github-advisory-latest
- alias/GHSA-72hg-5wr5-rmfc
- alias/CVE-2023-47129
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/composer
- vendor/statamic
- canonical/statamic statamic
- version/statamic statamic/4.0.0