Local File System Validation Bypass Vulnerability in CraftCMS by Craft
CVE-2024-52291
7.2HIGH
What is CVE-2024-52291?
A vulnerability exists in CraftCMS that allows an attacker to bypass local file system validation through a crafted double file:// scheme. This exploitation could enable the attacker to define sensitive directories as the file system, resulting in malicious uploads that may overwrite files or grant unauthorized access to sensitive data. Furthermore, under certain conditions, this vulnerability could facilitate remote code execution via Server-Side Template Injection payloads, provided the attacker has an authenticated administrator account with allowAdminChanges enabled. This issue has been addressed in CraftCMS versions 5.4.6 and 4.12.5.