CVE-2023-40035

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Aug 23, 2023
Updated: Aug 29, 2023
CWE ID 74

Summary

CVE-2023-40035 is a vulnerability affecting Craft CMS, a platform used for creating custom digital experiences. This issue arises due to a bypass in the validatePath function, which can potentially enable remote code execution. Malicious actors could exploit this vulnerability to gain malicious control of affected systems and exfiltrate sensitive data. Although this vulnerability can only be exploited by authenticated users, the presence of the ALLOW_ADMIN_CHANGES=true configuration significantly increases the threat level. The vulnerability has been addressed in Craft CMS versions 4.4.15 and 3.8.15.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share