10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-41892

CVE-2023-41892: Craft CMS Remote Code Execution vulnerability

Impact

This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue.

Mitigations

This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version.
Refresh your security key in case it has already been captured. You can do that by running the php craft setup/security-key command and copying the updated CRAFT_SECURITY_KEY environment variable to all production environments.
If you have any other private keys stored as environment variables (e.g., S3 or Stripe), refresh those as well.
Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database was compromised. You can do that by running php craft resave/users --set passwordResetRequired --to "fn() => true".

References

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476

https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857

https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-41892

CVE-2023-41892:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
craftcms/cms	composer	>= 4.0.0-RC1, <= 4.4.14	4.4.15

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unsanitized user input in condition configurations. The key commit 7359d18 shows the vulnerable code path in ConditionsController.php directly used request parameters to build condition objects. Attackers could craft 'config[name]' payloads with 'on event' keys that Yii would interpret as event handlers, leading to arbitrary object instantiation. The introduction of Component::cleanseConfig in the patch explicitly removes these dangerous keys, confirming their role in the exploit chain. The CWE-94 classification and remote code execution impact directly map to this unsafe parameter handling pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-41892: Craft CMS Remote Code Execution vulnerability

Impact

Mitigations

References

CVE-2023-41892:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2023-41892: Craft CMS Remote Code Execution vulnerability

Impact

Mitigations

References

10

10

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI