CVE-2024-56145: Craft CMS - Remote Code Execution via Template Path Manipulation

日期: 2025-08-01 | 影响软件: Craft CMS | POC: 已公开

漏洞描述

This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9. The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.

PoC代码[已公开]

id: CVE-2024-56145

info:
  name: Craft CMS - Remote Code Execution via Template Path Manipulation
  author: jackhax
  severity: critical
  description: |
    This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
    The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
  impact: |
    Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
  remediation: |
    Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
  reference:
    - https://github.com/advisories/GHSA-2p6p-9rc9-62j9
    - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
    - https://github.com/Chocapikk/CVE-2024-56145
    - https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
    - https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.3
    cve-id: CVE-2024-56145
    cwe-id: CWE-94
    epss-score: 0.93747
    epss-percentile: 0.99849
    cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: craftcms
    product: cms
    shodan-query:
      - http.html:"craftcms"
      - http.favicon.hash:"-47932290"
    fofa-query:
      - icon_hash=-47932290
      - body=craftcms
    publicwww-query: craftcms
  tags: cve,cve2024,rce,craftcms,ssti,kev,vkev

variables:
  nonce: "{{rand_int(1000000000,9999999999)}}"

http:
  - raw:
      - |
        GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{nonce}}'
          - 'mkdir()'
          - 'Permission denied'
          - 'No such file or directory'
        condition: and

      - type: status
        status:
          - 503
# digest: 4b0a00483046022100d731e15b73dee6cae90a797f73b059840bd5c1d7b4cd217a27e1559c6958b8b102210097b40e42d89d9c9627b85dfe369c868f091bb141d96237e9e9769d92b0b09af5:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-56145.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2020-9757: Craft CMS < 3.3.0 - Server-Side Template Injection POC

CVE-2024-37843: Craft CMS <=v3.7.31 - SQL Injection POC

Craft CMS generate-transform 反序列化代码执行漏洞 无POC

Journyx /jtcgi/soap_cgi.pyc XML外部实体注入漏洞（CVE-2024-6893） 无POC

Whoogle search 代码执行漏洞（CVE-2024-53305） 无POC

Craft CMS generate-transform 反序列化代码执行漏洞无POC

Journyx /jtcgi/soap_cgi.pyc XML外部实体注入漏洞（CVE-2024-6893）无POC

Whoogle search 代码执行漏洞（CVE-2024-53305）无POC