Server-Side Template Injection (SSTI) in CraftCMS version 3.7.59 allows Remote Code Execution via User Photo Location field.

Server-Side Template Injection (SSTI) in CraftCMS version 3.7.59 allows Remote Code Execution via User Photo Location field.

CVE-2023-30179 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.

Learn more about our Cis Benchmark Audit For Server Software.