CVE-2023-24676: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

January 24, 2024

An issue found in Processwire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module.

References

github.com/advisories/GHSA-2cvg-w29m-j8xc
medium.com/%40cupc4k3/reverse-shell-via-remote-file-inlusion-in-proccesswire-cms-a8fa5ace3255
nvd.nist.gov/vuln/detail/CVE-2023-24676

Detect and mitigate CVE-2023-24676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →