CVE-2023-32679
📋 TL;DR
This vulnerability in Craft CMS allows attackers with admin privileges to execute arbitrary code by uploading files with arbitrary extensions that get rendered as Twig templates. It affects Craft CMS installations in development environments or improperly configured staging/production environments. Successful exploitation grants remote code execution on the host system.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining shell access to the operating system, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Attacker with admin access uploads malicious template file leading to remote code execution, potentially compromising the CMS instance and underlying server.
If Mitigated
Attack prevented through proper environment configuration, admin access controls, and file upload restrictions.
🎯 Exploit Status
Exploitation requires admin privileges but is straightforward once access is obtained. The vulnerability is in template resolution logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.6
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c
Restart Required: No
Instructions:
1. Backup your Craft CMS installation and database. 2. Update Craft CMS to version 4.4.6 or later via Composer: composer require craftcms/cms:"^4.4.6". 3. Clear template caches if applicable. 4. Verify the update was successful.
🔧 Temporary Workarounds
No official workarounds
allThe vendor states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Restrict admin access to only trusted personnel and implement strong authentication controls.
- Disable template rendering in production environments if not required, or implement strict file upload validation.
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or by examining composer.json/composer.lock files for version below 4.4.6.Check Version:
composer show craftcms/cms | grep versionsVerify Fix Applied:
Confirm version is 4.4.6 or higher via admin panel or composer show craftcms/cms command.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with non-standard extensions to template directories
- Twig template rendering errors for unexpected file types
- Admin user uploading files to template locations
Network Indicators:
- HTTP POST requests uploading files to template-related endpoints by admin users
SIEM Query:
source="web_logs" AND (uri_path="/admin/*" OR user_agent="Craft CMS") AND (method="POST" AND uri_path CONTAINS "template" OR "upload")