Craft CMS Remote Code Execution Vulnerability via Behavior Injection in EntryTypesController

A remote code execution vulnerability has been identified in Craft CMS versions 5.6.0 prior to 5.9.11. The issue arises in the EntryTypesController, where the settings array parsed from the request is passed directly to Craft::configure() without proper sanitization. This oversight allows authenticated administrators to inject malicious Yii2 behavior configurations that can execute arbitrary commands on the server. The vulnerability exploits the same behavior injection mechanism as a previously reported issue, but through a different code path and endpoint.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Craft CMS is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user with admin privileges can send a POST request to the endpoint that triggers the 'actionApplyOverrideSettings' method in the EntryTypesController. The request must include a 'settingsNamespace' parameter and a 'settings' parameter that contains the injected behavior configuration, using 'as' or 'on' prefixed keys to specify the behavior injection. Once the request is processed, the injected behavior will be executed, leading to remote code execution.

Remediation

Users should update Craft CMS to version 5.9.11 to address this vulnerability.