Craft CMS Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Craft CMS versions 4.0.0 prior to 4.17.12 and 5.0.0 prior to 5.9.18. The issue arises from an input-handling flaw in the Yii object creation process, allowing any authenticated user to inject malicious configuration that is executed on the server. This vulnerability exploits the dynamic object configuration feature of Yii, which Craft CMS uses to build application components from a settings list. The flaw was introduced by not properly sanitizing condition field layout data before it was processed, enabling the execution of arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server, with the commands executed in the context of the web server user.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/actions/element-search/search' with JSON payload that includes a crafted 'condition' field. The 'condition' should be structured to inject malicious behavior, such as executing a command through a specified attribute type. This exploitation can also be performed through other element-index actions that follow the same request handling path.

Remediation

Users can upgrade to Craft CMS versions 4.17.12 or 5.9.18 to address this vulnerability.