First published: Tue Nov 14 2023(Updated: )
### Impact Similar to [another advisory](https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc), certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. ### Patches It has been patched in 3.4.14 and 4.34.0.
|Affected Software||Affected Version||How to fix|
Certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules, affecting front-end forms using the "Forms" feature and asset uploads.
GHSA-2r53-9295-3m86 affects the Statamic CMS by allowing the upload of PHP files disguised as images, bypassing mime type validation rules.
The severity of GHSA-2r53-9295-3m86 is high, with a severity value of 8.8.
The CWE for GHSA-2r53-9295-3m86 is CWE-94.
To fix GHSA-2r53-9295-3m86, update the Statamic CMS to version 3.4.14 (for 3.x.x users) or version 4.34.0 (for 4.x.x users).