CVE-2024-52293

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

Published: Nov 13, 2024
Updated: May 4, 2025
CVE: CVE-2024-52293
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
craftcms / craft_cms	4.0.0-rc3	4.0.0-rc3.x
craftcms / craft_cms	4.0.0-rc1	4.0.0-rc1.x
craftcms / craft_cms	4.0.0-rc2	4.0.0-rc2.x
craftcms / craft_cms	5.0.0-rc1	5.0.0-rc1.x
craftcms / craft_cms	4.0.0.x	4.12.2
craftcms / craft_cms	5.0.0.x	5.4.3

https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58
https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv

Vulnerability Database

289,496

CVE-2024-52293