What is CVE-2023-47129?

CVE-2023-47129 is a vulnerability in the Statamic CMS that allows for remote code execution via front-end form uploads.

How does CVE-2023-47129 affect Statamic CMS?

CVE-2023-47129 affects Statamic CMS versions prior to 3.4.13 and 4.33.0.

What is the severity level of CVE-2023-47129?

CVE-2023-47129 has a severity level of high (8.4).

How can I fix CVE-2023-47129?

To fix CVE-2023-47129, update Statamic CMS to versions 3.4.13 or 4.33.0 or later.

What is the CWE associated with CVE-2023-47129?

The CWE associated with CVE-2023-47129 is CWE-434.

Vulnerability/
CVE-2023-47129

critical

9.8

CWE

434

10/11/2023

12/11/2023

3/9/2024

CVE-2023-47129: Statamic CMS remote code execution via front-end form uploads

First published: Fri Nov 10 2023(Updated: )

### Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. ### Patches It has been patched in 3.4.13 and 4.33.0.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
composer/statamic/cms	<3.4.13	3.4.13
composer/statamic/cms	>=4.0.0<4.33.0	4.33.0
Statamic Statamic	<3.4.13
Statamic Statamic	>=4.0.0<4.33.0

Remedy

https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75

Remedy

https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-47129?
CVE-2023-47129 is a vulnerability in the Statamic CMS that allows for remote code execution via front-end form uploads.
How does CVE-2023-47129 affect Statamic CMS?
CVE-2023-47129 affects Statamic CMS versions prior to 3.4.13 and 4.33.0.
What is the severity level of CVE-2023-47129?
CVE-2023-47129 has a severity level of high (8.4).
How can I fix CVE-2023-47129?
To fix CVE-2023-47129, update Statamic CMS to versions 3.4.13 or 4.33.0 or later.
What is the CWE associated with CVE-2023-47129?
The CWE associated with CVE-2023-47129 is CWE-434.

collector/github-advisory-latest
alias/GHSA-72hg-5wr5-rmfc
alias/CVE-2023-47129
collector/nvd-api
collector/nvd-cve
collector/github-advisory
agent/references
agent/severity
agent/weakness
agent/title
agent/author
agent/type
agent/description
agent/event
agent/first-publish-date
agent/softwarecombine
agent/last-modified-date
agent/remedy
agent/tags
collector/mitre-cve
source/MITRE
package-manager/composer
vendor/statamic
canonical/statamic statamic
version/statamic statamic/4.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.