CVE-2021-33199 – This vulnerability in Expression Engine allows ... (How to Fix)

Q: What is the severity of CVE-2021-33199?

CVE-2021-33199 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Expression Engine allows attackers to manipulate file paths through untrusted input, potentially leading to arbitrary file inclusion or remote code execution. It affects Expression Engine installations before version 6.0.3. The issue stems from improper input validation in the addonIcon function.

📋 TL;DR

This vulnerability in Expression Engine allows attackers to manipulate file paths through untrusted input, potentially leading to arbitrary file inclusion or remote code execution. It affects Expression Engine installations before version 6.0.3. The issue stems from improper input validation in the addonIcon function.

💻 Affected Systems

Products:

Expression Engine

Versions: All versions before 6.0.3

Operating Systems: All platforms running Expression Engine

Default Config Vulnerable: ⚠️ Yes

Notes: All Expression Engine installations with the vulnerable code path are affected regardless of configuration.

📦 What is this software?

Expressionengine by Expressionengine

View all CVEs affecting Expressionengine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary file inclusion allowing sensitive file disclosure or limited code execution.

🟢

If Mitigated

No impact with proper input validation and file path restrictions.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and the vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the application.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears straightforward to exploit based on the code change, though no public exploit has been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.3

Vendor Advisory: https://github.com/ExpressionEngine/ExpressionEngine/releases/tag/6.0.3

Restart Required: No

Instructions:

1. Backup your Expression Engine installation and database. 2. Download Expression Engine 6.0.3 or later from the official repository. 3. Replace the affected file (system/ee/ExpressionEngine/Addons/file/mod.file.php) with the patched version. 4. Verify the fix by checking that the addonIcon function now uses fixed file names (icon.png, icon.svg) instead of user input.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to restrict file parameter values to allowed filenames only.

Web Application Firewall Rule

all

Block requests containing suspicious file parameter values in the addonIcon function path.

🧯 If You Can't Patch

Implement strict input validation to only allow 'icon.png' or 'icon.svg' as file parameter values.
Restrict access to the vulnerable endpoint using network segmentation or authentication requirements.

🔍 How to Verify

Check if Vulnerable:

Check if Expression Engine version is below 6.0.3 by examining the system/ee/ExpressionEngine/Addons/file/mod.file.php file for the vulnerable addonIcon function using user input.

Check Version:

Check the Expression Engine control panel or examine the system/ee/ExpressionEngine/Core/Core.php file for version information.

Verify Fix Applied:

Verify the patched version 6.0.3 is installed and that the addonIcon function in mod.file.php uses fixed file names (icon.png, icon.svg) instead of input->get('file').

📡 Detection & Monitoring

Log Indicators:

Unusual file parameter values in requests to addonIcon endpoints
Multiple failed attempts with different file parameter values

Network Indicators:

Requests to Expression Engine endpoints with non-standard file parameters
Unusual file paths in HTTP requests

SIEM Query:

web.url: "*addonIcon*" AND web.param.file: NOT ("icon.png" OR "icon.svg")

📊 Metadata

CVE ID: CVE-2021-33199

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: August 12, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ExpressionEngine/ExpressionEngine/compare/6.0.1...6.0.3#diff-17bcb23e5666fc2dccb79c7133e9eeb701847f67ae84fbde0a673c3fd3d109e0R508 Patch,Third Party Advisory
https://github.com/ExpressionEngine/ExpressionEngine/releases/tag/6.0.3 Release Notes,Third Party Advisory
https://github.com/ExpressionEngine/ExpressionEngine/compare/6.0.1...6.0.3#diff-17bcb23e5666fc2dccb79c7133e9eeb701847f67ae84fbde0a673c3fd3d109e0R508 Patch,Third Party Advisory
https://github.com/ExpressionEngine/ExpressionEngine/releases/tag/6.0.3 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33199, you might also want to check these: