Miggo Logo
Miggo Vulnerability Database
CVE-2023-24676

CVE-2023-24676: Arbitrary Code Execution in Processwire

7.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-24676
GHSA ID
GHSA-2cvg-w29m-j8xc
EPSS Score
0.26023%
CWE
CWE-94
Published
1/24/2024
Updated
2/8/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
processwire/processwirecomposer<= 3.0.210

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on unvalidated use of the 'download_zip_url' parameter during module installation. The attack flow involves (1) supplying a malicious URL via this parameter, (2) downloading/extracting the ZIP, and (3) executing contained PHP code. ProcessWire's module installation logic would require functions to handle remote downloads (e.g., downloadModule) and installation orchestration (e.g., installFromUrl). These functions are implicated because they directly process the attacker-controlled input and lack safeguards against remote code inclusion. Confidence is high for ModuleInstaller::downloadModule due to its direct role in handling ZIP URLs, and medium for Modules::installFromUrl due to inferred responsibility for installation workflow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* *oun* in Pro**sswir* *.*.*** *llows *tt**k*rs to *x**ut* *r*itr*ry *o** *n* inst*ll * r*v*rs* s**ll vi* t** *ownlo**_zip_url p*r*m*t*r w**n inst*llin* * n*w mo*ul*.

Reasoning

T** vuln*r**ility **nt*rs on unv*li**t** us* o* t** '*ownlo**_zip_url' p*r*m*t*r *urin* mo*ul* inst*ll*tion. T** *tt**k *low involv*s (*) supplyin* * m*li*ious URL vi* t*is p*r*m*t*r, (*) *ownlo**in*/*xtr**tin* t** ZIP, *n* (*) *x**utin* *ont*in** P*