CWE
94
Advisory Published
Updated

GHSA-4w8r-3xrw-v25g: Code Injection

First published: Wed Sep 13 2023(Updated: )

### Impact This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. ### Mitigations * This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version. * Refresh your security key in case it has already been captured. You can do that by running the `php craft setup/security-key` command and copying the updated `CRAFT_SECURITY_KEY` environment variable to all production environments. * If you have any other private keys stored as environment variables (e.g., S3 or Stripe), refresh those as well. * Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database was compromised. You can do that by running `php craft resave/users --set passwordResetRequired --to "fn() => true"`. ### References https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476 https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857 https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

Affected SoftwareAffected VersionHow to fix
composer/craftcms/cms>=4.0.0-RC1<=4.4.14
4.4.15

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of GHSA-4w8r-3xrw-v25g?

    The severity of GHSA-4w8r-3xrw-v25g is critical with a severity value of 10.

  • How can I mitigate the vulnerability GHSA-4w8r-3xrw-v25g?

    To mitigate the vulnerability GHSA-4w8r-3xrw-v25g, you should update your Craft installation to at least version 4.4.15.

  • What is the impact of GHSA-4w8r-3xrw-v25g?

    The impact of GHSA-4w8r-3xrw-v25g is high, but the complexity of the attack vector is low.

  • What is the recommended version to fix GHSA-4w8r-3xrw-v25g?

    The recommended version to fix GHSA-4w8r-3xrw-v25g is at least Craft 4.4.15.

  • What is the CWE ID of GHSA-4w8r-3xrw-v25g?

    The CWE ID of GHSA-4w8r-3xrw-v25g is 94.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203