Craft CMS Remote Code Execution Vulnerability via Twig Template Injection

A remote code execution vulnerability has been identified in Craft CMS versions prior to 5.8.22 and 4.16.18. The issue arises from improper handling of Twig input in text fields under the Settings menu or through the System Messages utility. Administrators can inadvertently create malicious payloads that exploit this vulnerability. For exploitation, administrator access is required, and the 'allowAdminChanges' setting must be enabled, which is not recommended for non-development environments. Alternatively, a non-administrator account can be used if 'allowAdminChanges' is disabled, but access to the System Messages utility is needed.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where Craft CMS is hosted.

Reproduction

To reproduce this vulnerability, an administrator must enable the 'allowAdminChanges' setting and then create a malicious payload using the Twig 'map' filter in a text field that accepts Twig input. This can be done under the Settings menu in the Craft control panel or through the System Messages utility. Once the payload is crafted, it can be executed to achieve remote code execution on the server.

Remediation

Users should update to Craft CMS versions 5.8.22 or 4.16.18, where this vulnerability has been patched.