CVE-2023-47129: Statamic CMS remote code execution via front-end form uploads

November 12, 2023

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the “Forms” feature and not just any arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.

References

github.com/advisories/GHSA-72hg-5wr5-rmfc
github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75
github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77
github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc
nvd.nist.gov/vuln/detail/CVE-2023-47129

Code Behaviors & Features

Detect and mitigate CVE-2023-47129 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →