CVE-2023-32679: 
PHP vulnerability analysis and mitigation

Craft CMS, an open source content management system, was found to be vulnerable to Remote Code Execution (CVE-2023-32679) due to an unrestricted file extension issue. The vulnerability affects versions from 4.0.0 to 4.4.5 and was disclosed on May 19, 2023. The vulnerability exists in the View.php's template resolution functionality where arbitrary extension files could be rendered as twig templates (GitHub Advisory).

The vulnerability occurs in the View.php's doesTemplateExist() -> resolveTemplate() -> resolveTemplateInternal() -> resolveTemplate() function chain. If the name parameter value is not empty, the function returns directly without proper extension verification, allowing arbitrary extension files to be rendered as twig templates. This bypasses the intended restriction of defaultTemplateExtensions which should only allow 'html' and 'twig' extensions. The vulnerability has been assigned a CVSS v3.1 score of 7.2 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

When successfully exploited, this vulnerability can lead to remote code execution, potentially allowing attackers to take control of vulnerable systems, perform data exfiltration, execute malware, and enable system pivoting. The impact is particularly concerning for development environments or improperly configured staging/production environments where ALLOWADMINCHANGES=true (GitHub Advisory).

The vulnerability has been patched in version 4.4.6. The fix includes implementing proper template file extension verification before returning the file path. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).