Login Sign Up

CVE-2021-27903

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-27903 is a remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected systems. This vulnerability affects Craft CMS installations where administrative changes are not restricted, requiring an attacker to hijack an administrator's session. Sites running Craft CMS versions before 3.6.7 are vulnerable.

💻 Affected Systems

Products:
  • Craft CMS
Versions: All versions before 3.6.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrative access or session hijacking to exploit. Sites with restricted administrative changes are less vulnerable.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the web server, potentially leading to data theft, malware deployment, or lateral movement within the network.

🟠

Likely Case

Attacker executes arbitrary code on the web server, potentially compromising the CMS installation, accessing sensitive data, or defacing the website.

🟢

If Mitigated

Limited impact with proper session security and administrative restrictions in place, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires administrative privileges or session hijacking. No public proof-of-concept has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.7 and later

Vendor Advisory: https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#367---2021-02-23

Restart Required: No

Instructions:

1. Backup your Craft CMS installation and database. 2. Update Craft CMS to version 3.6.7 or later via Composer: 'composer require craftcms/cms:^3.6.7'. 3. Clear caches and verify the update.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Implement strict access controls and session management for administrative accounts

Implement Web Application Firewall

all

Deploy WAF rules to detect and block suspicious administrative actions

🧯 If You Can't Patch

  • Implement strict session management with short timeouts and IP validation
  • Restrict administrative access to specific IP addresses or VPN-only access

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version in admin panel or via 'composer show craftcms/cms' command

Check Version:

composer show craftcms/cms | grep version

Verify Fix Applied:

Verify version is 3.6.7 or higher and check CHANGELOG for security fixes applied

📡 Detection & Monitoring

Log Indicators:

  • Unusual administrative actions from unexpected IPs
  • Suspicious file uploads or code execution attempts in logs

Network Indicators:

  • Unexpected outbound connections from web server
  • Suspicious payloads in HTTP requests to admin endpoints

SIEM Query:

source="web_logs" AND (uri="/admin/*" OR user_agent="*admin*") AND status=200 AND src_ip NOT IN [allowed_admin_ips]

📊 Metadata

CVE ID: CVE-2021-27903
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: June 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27903, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)