漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Vulnerability Description
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
CVSS Information
N/A
Vulnerability Type
CWE-1336
Vulnerability Title
Craft CMS 安全漏洞
Vulnerability Description
Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 4.17.0-beta.1之前版本和5.9.0-beta.1之前版本存在安全漏洞,该漏洞源于通过向Twig模板字段注入服务器端模板注入有效载荷,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A