Update dependency craftcms/cms to ^4.7.0 [SECURITY] #18

renovate · 2024-09-25T13:01:58Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
craftcms/cms (source)	`^4.0.0` -> `^4.7.0`

GitHub Vulnerability Alerts

CVE-2022-37250

Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.

CVE-2022-37248

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.

CVE-2022-37251

Craft CMS 3.70-RC1–3.7.55.1 and 4.0.0-RC1–4.2.0.1 are vulnerable to Cross Site Scripting (XSS) via entry revisions and drafts. Versions 3.7.55.2 and 4.2.1 contain patches for this issue.

CVE-2022-37247

Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.

CVE-2022-37246

Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.

CVE-2023-23927

Summary

When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the
admin dashboard.

PoC

2023-01-30.18-43-49.mp4

Impact

Tested with the free version of Craft CMS 4.3.6.1

CVE-2023-31144

A malformed title in the feed widget of craftcms/cms can deliver an XSS payload. This has been resolved in this commit.

CVE-2023-32679

Summary

Unrestricted file extension lead to a potential Remote Code Execution
(Authenticated, ALLOW_ADMIN_CHANGES=true)

Details

Vulnerability Cause :

If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates (even if they are not extensions set in defaultTemplateExtensions = ['html', 'twig'])

    /**
     * Searches for a template files, and returns the first match if there is one.
     *
     * @&#8203;param string $basePath The base path to be looking in.
     * @&#8203;param string $name The name of the template to be looking for.
     * @&#8203;param bool $publicOnly Whether to only look for public templates (template paths that don’t start with the private template trigger).
     * @&#8203;return string|null The matching file path, or `null`.
     */
    private function _resolveTemplate(string $basePath, string $name, bool $publicOnly): ?string
    {
        // Normalize the path and name
        $basePath = FileHelper::normalizePath($basePath);
        $name = trim(FileHelper::normalizePath($name), '/');

        // $name could be an empty string (e.g. to load the homepage template)
        if ($name !== '') {
            if ($publicOnly && preg_match(sprintf('/(^|\/)%s/', preg_quote($this->_privateTemplateTrigger, '/')), $name)) {
                return null;
            }

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY_SEPARATOR . $name;

            if (is_file($testPath)) {
                return $testPath;
            }

            foreach ($this->_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . DIRECTORY_SEPARATOR . $name . '.' . $extension;

                if (is_file($testPath)) {
                    return $testPath;
                }
            }
        }

        foreach ($this->_indexTemplateFilenames as $filename) {
            foreach ($this->_defaultTemplateExtensions as $extension) {
                $testPath = $basePath . ($name !== '' ? DIRECTORY_SEPARATOR . $name : '') . DIRECTORY_SEPARATOR . $filename . '.' . $extension;

                if (is_file($testPath)) {
                    return $testPath;
                }
            }
        }

        return null;
    }

When attacker with admin privileges on the DEV or Misconfigured STG, PROD, they can exploit this vulnerability to remote code execution (ALLOW_ADMIN_CHANGES=true)

PoC

Step 1) Create a new filesystem. Base Path: /var/www/html/templates

Step 2) Create a new asset volume. Asset Filesystem: template

Step 3) Upload poc file( .txt , .js , .json , etc ) with twig template rce payload

{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}

Step 4) Create a new global set with template layout. The template filename is poc.js

Step 5) When access global menu or /admin/global/test, poc.js is rendered as a template file and RCE confirmed

Step 6) RCE can be confirmed on other menus(Entries, Categories) where the template file is loaded.

Poc Environment) ALLOW_ADMIN_CHANGES=true, defaultTemplateExtensions=['html','twig']

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

Additionally, there are 371 domains using CraftCMS exposed on Shodan, and among them, 33 servers have "stage" or "dev" included in their hostnames.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

Remediation

Recommend taking measures by referring to https://github.com/craftcms/cms-ghsa-9f84-5wpf-3vcf/pull/1

            // Maybe $name is already the full file path
            $testPath = $basePath . DIRECTORY_SEPARATOR . $name;

            if (is_file($testPath)) {
                // Remedation: Verify template file extension, before return
                $fileExt = pathinfo($testPath, PATHINFO_EXTENSION);
                $isDisallowed = false;

                if (isset($fileExt)) {
                    $isDisallowed = !in_array($fileExt, $this->_defaultTemplateExtensions);

                    if($isDisallowed) {
                        return null;
                    } else {
                        return $testPath;
                    }
                }
            }

CVE-2023-33194

Summary

The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload.

Details

Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save.

PoC

Login at admin
Go to setting
Create a Section
On Entry page, click Edit label
Inject the XSS payload into the label and save
On the admin dashboard choose new widget -> Quick Post
In Quick Post, click save with blank slug; The XSS will be executed

"errors":{"title":["<script>alert('nono')</script> cannot be blank."],"slug":["Slug cannot be blank."]

Fixed in craftcms/cms@9d0cd0b

CVE-2023-33196

Summary

XSS can be triggered by review volumes

PoC

1. Access setting tab
2. Create new assets
3. In assets name inject payload: "<script>alert(1337)</script>
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
6. Click Update asset indexes.
7. Wait to assets update success.
8. Progress complete.
9. Click on review button will trigger XSS

Root cause

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770
After loading completed, progess will load:
"skippedEntries"
and
"missingEntries"
These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

My reponse:

{
"session": {
"id": 10,
"indexedVolumes": {
"6": ""<script>alert(1337)</script>"
},
"totalEntries": 2235,
"processedEntries": 2235,
"cacheRemoteImages": true,
"listEmptyFolders": false,
"isCli": false,
"actionRequired": true,
"dateCreated": "Apr 5, 2023, 9:03:16 AM",
"skippedEntries": [
""<script>alert(1337)</script>/assetpreviews/Image.php",
""<script>alert(1337)</script>/assetpreviews/Pdf.php"
],
"missingEntries": {
"folders": [],
"files": []
},
"processIfRootEmpty": false
},
"skipDialog": false
}

Resolved in craftcms/cms@053d711

CVE-2023-33197

Summary

XSS can be triggered via the Update Asset Index utility

PoC

Access setting tab
Create new assets
In assets name inject payload: "<script>alert(26)</script>
Click Utilities tab
Choose all volumes, or volume trigger xss
Click Update asset indexes.

XSS will be triggered

Json response volumes name makes triggers the payload

"session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"},

It’s run on every POST request in the utility.

Resolved in craftcms/cms@8c2ad0b

CVE-2023-2817

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. This issue was patched in version 4.4.12.

CVE-2023-40035

Summary

Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3);

// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? "$rootPath/.env";
$configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? "$rootPath/config";
$contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? "$rootPath/migrations";
$storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? "$rootPath/storage";
$templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? "$rootPath/templates";
$translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? "$rootPath/translations";
$testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

    /**
     * @&#8203;param string $attribute
     * @&#8203;param array|null $params
     * @&#8203;param InlineValidator $validator
     * @&#8203;return void
     * @&#8203;since 4.4.6
     */
    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
    {
        // Make sure it’s not within any of the system directories
        $path = FileHelper::absolutePath($this->getRootPath(), '/');

        $systemDirs = Craft::$app->getPath()->getSystemPaths();

        foreach ($systemDirs as $dir) {
            $dir = FileHelper::absolutePath($dir, '/');
            if (str_starts_with("$path/", "$dir/")) {
                $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
                break;
            }
        }
    }

ref. https://www.php.net/manual/en/wrappers.file.php

PoC

Create a new filesystem. Base Path: file:///var/www/html/templates

Create a new asset volume. Asset Filesystem: local_bypass

Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates

{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}

Create a new route. URI: * , Template: poc.ttml

Confirm RCE on arbitrary path ( /* )

PoC Env

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

CVE-2023-41892

Impact

This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue.

Mitigations

This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version.
Refresh your security key in case it has already been captured. You can do that by running the php craft setup/security-key command and copying the updated CRAFT_SECURITY_KEY environment variable to all production environments.
If you have any other private keys stored as environment variables (e.g., S3 or Stripe), refresh those as well.
Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database was compromised. You can do that by running php craft resave/users --set passwordResetRequired --to "fn() => true".

References

craftcms/cms@c0a37e1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476

craftcms/cms@7359d18

craftcms/cms@a270b92

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

CVE-2024-21622

Impact

This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft with certain user permissions setups.

Patches

This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

References

https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16

CVE-2023-36260

An issue discovered in Craft CMS version 4.6.1.1 allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.

Release Notes

craftcms/cms (craftcms/cms)

Update dependency craftcms/cms to ^4.7.0 [SECURITY] #18

Are you sure you want to change the base?

Update dependency craftcms/cms to ^4.7.0 [SECURITY] #18

Conversation

renovate bot commented Sep 25, 2024

GitHub Vulnerability Alerts

Summary

PoC

Impact

Summary

Details

Vulnerability Cause :

PoC

Impact

Remediation

Summary

Details

PoC

Summary

PoC

Root cause

My reponse:

Summary

PoC

Summary

Details

PoC

PoC Env

Impact

Impact

Mitigations

References

Impact

Patches

References

Release Notes

Content Management

Administration

Extensibility

System

Content Management

Administration

Extensibility

System

Configuration