Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Craft CMS versions 5.6.0 to 5.9.12 contain a Remote Code Execution vulnerability allowing authenticated control panel users to bypass previous security patches through unsanitized fieldLayouts parameter in ElementIndexesController. The vulnerability enables Yii2 behavior and event injection attacks, requiring immediate patching to version 5.9.13 or later.
تؤثر هذه الثغرة على Craft CMS من الإصدار 5.6.0 إلى 5.9.12 وتسمح لأي مستخدم مصرح بالوصول إلى لوحة التحكم بتنفيذ أوامر بعيدة. تحدث الثغرة لأن معامل fieldLayouts في ElementIndexesController::actionFilterHud() يتم تمريره مباشرة إلى FieldLayout::createFromConfig() دون أي تعقيم، مما يسمح بهجمات حقن السلوك والأحداث في Yii2.
Craft CMS versions 5.6.0 to 5.9.12 contain a Remote Code Execution vulnerability allowing authenticated control panel users to bypass previous security patches through unsanitized fieldLayouts parameter in ElementIndexesController. The vulnerability enables Yii2 behavior and event injection attacks, requiring immediate patching to version 5.9.13 or later.
Immediately upgrade Craft CMS to version 5.9.13 or later. For organizations unable to upgrade immediately, restrict control panel access to trusted administrators only and implement network segmentation to limit access to the CMS administration interface. Monitor logs for suspicious fieldLayouts parameter usage and behavior injection attempts.
قم بترقية Craft CMS فوراً إلى الإصدار 5.9.13 أو أحدث. للمنظمات غير القادرة على الترقية فوراً، قيد الوصول إلى لوحة التحكم للمسؤولين الموثوقين فقط وطبق تقسيم الشبكة لتحديد الوصول إلى واجهة إدارة CMS. راقب السجلات للكشف عن محاولات استخدام معامل fieldLayouts المريبة وحقن السلوك.