Craft CMS RCE (CVE-2023-41892) - Vulnerability Database

Craft CMS RCE (CVE-2023-41892)

Description

Craft CMS versions prior to 4.4.15 and 3.8.15 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on the server. This critical vulnerability stems from improper input validation in the application's image transformation functionality, which can be exploited by sending specially crafted HTTP requests to the server.

Remediation

Immediately upgrade Craft CMS to version 4.4.15 or later for Craft 4.x installations, or version 3.8.15 or later for Craft 3.x installations. Follow these steps:

1. Backup your current Craft CMS installation and database before upgrading
2. Update Craft CMS using Composer by running:

composer update craftcms/cms --with-dependencies

3. Run any pending migrations:

php craft migrate/all

4. Clear caches:

php craft clear-caches/all

5. Verify the installation is running the patched version by checking the control panel or running:

php craft --version

If immediate patching is not possible, implement network-level restrictions to limit access to the Craft CMS installation to trusted IP addresses only as a temporary mitigation measure.