CVE-2024-54149

CVSS 3.1 Score 8.4 of 10 (high)

Details

Published Dec 9, 2024
CWE ID 184

Summary

CVE-2024-54149 is a vulnerability affecting the Winter CMS, an open-source content management system based on Laravel PHP framework. Prior to versions 1.2.7, 1.1.11, and 1.0.476, users with specific permissions were able to bypass the Twig file sandbox, manipulating theme customization values, templates, and even model data. This issue arises due to all objects being references to live objects in Twig. An attacker would require Backend access with `cms.manage_layouts`, `cms.manage_pages`, or `cms.manage_partials` permissions to exploit this vulnerability. The Winter CMS maintainers recommend limiting these permissions to trusted administrators and developers. They have since increased the sandbox's scope to make all models and datasources read-only in Twig. Users unable to upgrade can manually apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 as a workaround. Users relying on writing to models/datasources within Twig should instead create components to make changes.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share