CVE-2024-56145
RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms
In short
Craft CMS allows attackers to run malicious code on servers where a specific PHP setting (`register_argc_argv`) is enabled. This is a critical vulnerability that can give attackers full control of the website.
Technical detail
A remote code execution vulnerability exists in Craft CMS when the PHP `register_argc_argv` configuration directive is enabled, allowing unauthenticated attackers to execute arbitrary code through an unspecified vector. The vulnerability exploits PHP's automatic population of the `$argc` and `$argv` global variables, which can be manipulated to inject malicious payloads. Affected versions: 3.x < 3.9.14, 4.x < 4.13.2, 5.x < 5.5.2.
Summary generated and translated by AI from the official description.
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
craftcms · cmspublic PoCs found — 3
cve_referencegithub.com/Chocapikk/CVE-2024-56145★ 47githubgithub.com/Sachinart/CVE-2024-56145-craftcms-rce★ 4githubgithub.com/hmhlol/craft-cms-RCE-CVE-2024-56145★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →