CVE-2023-30179
📋 TL;DR
CVE-2023-30179 is a Server-Side Template Injection vulnerability in CraftCMS that allows authenticated attackers to inject Twig templates into the User Photo Location field, potentially leading to remote code execution. The vulnerability affects CraftCMS version 3.7.59, though the vendor disputes the severity since only administrators can perform this action by design.
💻 Affected Systems
- CraftCMS
📦 What is this software?
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
An authenticated administrator could execute arbitrary code on the server, leading to complete system compromise, data theft, or lateral movement within the network.
Likely Case
An administrator with malicious intent or compromised administrator credentials could execute limited code within the application context, potentially accessing sensitive data or modifying application behavior.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized administrators performing actions within their intended scope.
🎯 Exploit Status
Exploitation requires administrator privileges. Public proof-of-concept demonstrates template injection leading to RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.2
Vendor Advisory: https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
Restart Required: No
Instructions:
1. Update CraftCMS to version 4.4.2 or later. 2. Verify the update completed successfully. 3. Test user photo location functionality.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to trusted personnel only and implement multi-factor authentication.
Input Validation
allImplement additional input validation on the User Photo Location field to reject Twig template syntax.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for administrator accounts.
- Regularly audit administrator activities and review logs for suspicious template injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check CraftCMS version in admin panel or via composer show craftcms/cms. If version is 3.7.59, the system is vulnerable.Check Version:
composer show craftcms/cms | grep versionVerify Fix Applied:
Verify CraftCMS version is 4.4.2 or later. Test user photo location field to ensure template injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity
- Twig template syntax in user photo location fields
- Unexpected file system or process creation
Network Indicators:
- Unusual outbound connections from CraftCMS server
- Suspicious payloads in HTTP requests to user settings endpoints
SIEM Query:
source="craftcms" AND (event="user_update" AND photo_location CONTAINS "{{%" OR photo_location CONTAINS "{%")🔗 References
- https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200
- https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714
- https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200
