Bolt CMS Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Bolt CMS versions through 3.7.0. This issue allows authenticated users to execute arbitrary PHP code by exploiting a chain of vulnerabilities. The vulnerability arises from the ability to inject PHP code into the display name field of the user profile, which is then rendered unsanitized in backend templates. Once the code is injected, the attacker can manipulate cached session files to execute the payload as a web shell.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server where Bolt CMS is running, with the same privileges as the user account.

Reproduction

To reproduce this vulnerability, an authenticated user must first inject PHP code into the display name field of their user profile. After the code is injected, the user can access the async browse cache sessions endpoint to list available session files. Once a suitable session file is identified, it can be renamed to a .php file and placed in a publicly accessible directory. The injected code can then be executed by sending a crafted HTTP GET request to the renamed file, using the appropriate query parameters to trigger the PHP code execution.

Remediation

Users are advised to upgrade to Bolt CMS version 3.7.1 or later, where this vulnerability has been patched.