CVE-2023-47129

HIGH

Statamic < 3.4.13 - Unrestricted File Upload

Title source: rule

Description

Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.

Exploits (1)

nomisec WRITEUP 3 stars

by Cyber-Wo0dy · poc

https://github.com/Cyber-Wo0dy/CVE-2023-47129

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75

[Patch] https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77

[Vendor Advisory] https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc

Scores

CVSS v3 8.3

EPSS 0.0541

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

statamic/cms 4.0.0 - 4.33.0Packagist

statamic/statamic < 3.4.13

Published Nov 10, 2023

Tracked Since Feb 18, 2026