Description

Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowing the attacker to read arbitrary files on the server. This is fixed in 5.4.9 and 4.12.8.

INFO

Published Date :

2024-11-13T16:08:32.698Z

Last Modified :

2024-11-13T18:53:58.779Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-52292 vulnerability.

Vendors Products
Craftcms
  • Craft Cms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-52292.

URL Resource
https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact