Headline
GHSA-3x74-v64j-qc3f: CraftCMS Server-Side Template Injection vulnerability
CraftCMS is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.
CraftCMS Server-Side Template Injection vulnerability
High severity GitHub Reviewed Published Jun 13, 2023 to the GitHub Advisory Database • Updated Jun 14, 2023
Related news
CVE-2023-30179: cms/CHANGELOG.md at develop · craftcms/cms
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.