Craft CMS Behavior Injection Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.5 and 5.0.0-RC1 prior to 5.9.11. This vulnerability arises from behavior injection in the ElementIndexesController and FieldsController. It requires Craft control panel administrator permissions and the allowAdminChanges setting to be enabled. Exploitation involves injecting malicious behavior configurations that are executed on the server, using a similar attack pattern to a previously reported vulnerability.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary system commands on the server via injected behavior configurations.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a JSON POST request to an endpoint that triggers the 'assembleLayoutFromPost' function in the 'FieldsController' or 'ElementIndexesController'. The request must include a 'fieldLayout' parameter that contains the injected behavior configuration, such as 'as rce', which exploits the behavior attachment mechanism of Yii2 to execute commands on the server.

Remediation

Users should update to Craft CMS versions 4.17.5 or 5.9.11.