CVE-2023-30179: Improper Control of Generation of Code ('Code Injection')

June 13, 2023 (updated November 9, 2023)

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.

References

datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection
github.com/craftcms/cms/blob/develop/CHANGELOG.md
nvd.nist.gov/vuln/detail/CVE-2023-30179

Detect and mitigate CVE-2023-30179 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →