Miggo Logo
Miggo Vulnerability Database
CVE-2023-47129

CVE-2023-47129: Statamic CMS remote code execution via front-end form uploads

8.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-47129
GHSA ID
GHSA-72hg-5wr5-rmfc
EPSS Score
0.87532%
CWE
CWE-434
Published
11/12/2023
Updated
11/12/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
statamic/cmscomposer>= 4.0.0, < 4.33.04.33.0
statamic/cmscomposer< 3.4.133.4.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insufficient file extension validation in front-end form asset uploads. The patch in commit 098ef80 modifies the extraRules method to add a closure validator that explicitly blocks .php, .php3, .php4, .php5, and .phtml extensions. The original code only enforced a generic 'file' validation rule (line 167 in the diff), which relied on MIME-type validation that could be spoofed. The vulnerable function was responsible for defining these validation rules, making it the root cause of the unrestricted upload vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t On *ront-*n* *orms wit* *n *ss*t uplo** *i*l*, P*P *il*s *r**t** to look lik* im***s m*y ** uplo**** r***r*l*ss o* mim* v*li**tion rul*s. T*is only *****ts *orms usin* t** "*orms" ***tur* *n* not just _*ny_ *r*itr*ry *orm. T*is *o*s not **

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt *il* *xt*nsion v*li**tion in *ront-*n* *orm *ss*t uplo**s. T** p*t** in *ommit ******* mo*i*i*s t** `*xtr*Rul*s` m*t*o* to *** * *losur* v*li**tor t**t *xpli*itly *lo*ks `.p*p`, `.p*p*`, `.p*p*`, `.p*p*`, *