Skip to content
Nuclei Templates

Craft CMS - Remote Code Execution via Template Path Manipulation

ID: CVE-2024-56145

Severity: critical

Author: jackhax

Tags: cve,cve2024,rce,craftcms,ssti

Description

Section titled “Description”

This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.The vulnerability exists due to improper handling of the --templatesPath query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.

YAML Source

Section titled “YAML Source”
id: CVE-2024-56145


info:
  name: Craft CMS - Remote Code Execution via Template Path Manipulation
  author: jackhax
  severity: critical
  description: |
    This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
    The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
  impact: |
    Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
  remediation: |
    Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
  reference:
    - https://github.com/advisories/GHSA-2p6p-9rc9-62j9
    - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
    - https://github.com/Chocapikk/CVE-2024-56145
    - https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
    - https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.3
    cve-id: CVE-2024-56145
    cwe-id: CWE-94
    epss-score: 0.00043
    epss-percentile: 0.10941
    cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: craftcms
    product: cms
    shodan-query:
      - http.html:"craftcms"
      - http.favicon.hash:"-47932290"
    fofa-query:
      - icon_hash=-47932290
      - body=craftcms
    publicwww-query: craftcms
  tags: cve,cve2024,rce,craftcms,ssti


variables:
  nonce: "{{rand_int(1000000000,9999999999)}}"


http:
  - raw:
      - |
        GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{nonce}}'
          - 'mkdir()'
          - 'Permission denied'
          - 'No such file or directory'
        condition: and


      - type: status
        status:
          - 503
# digest: 4a0a00473045022100b98233f44cd9e9c639b4f5314d63cbbcb1d3a87a9598d0ac0f3daf7849705545022039f1c02aebb4b3ee28f874d6543dc94e306a8849e6c3be0f2f9c79a54915483b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-56145.yaml"

View on Github