CVE-2024-54149
CVSS 3.1 Score 8.4 of 10 (high)
Details
Summary
CVE-2024-54149 is a vulnerability affecting the Winter CMS, an open-source content management system based on Laravel PHP framework. Prior to versions 1.2.7, 1.1.11, and 1.0.476, users with specific permissions were able to bypass the Twig file sandbox, manipulating theme customization values, templates, and even model data. This issue arises due to all objects being references to live objects in Twig. An attacker would require Backend access with `cms.manage_layouts`, `cms.manage_pages`, or `cms.manage_partials` permissions to exploit this vulnerability. The Winter CMS maintainers recommend limiting these permissions to trusted administrators and developers. They have since increased the sandbox's scope to make all models and datasources read-only in Twig. Users unable to upgrade can manually apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 as a workaround. Users relying on writing to models/datasources within Twig should instead create components to make changes.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- CMs
Affected Vendors
- Pluck -