CVE-2024-52293: 
PHP vulnerability analysis and mitigation

Craft CMS, a content management system, was found to have a critical vulnerability (CVE-2024-52293) affecting versions prior to 4.12.2 and 5.4.3. The vulnerability stems from missing normalizePath in the FileHelper::absolutePath function, which could lead to Remote Code Execution (RCE) on the server via Twig Server-Side Template Injection (SSTI). This vulnerability is considered a sequel to CVE-2023-40035 (GitHub Advisory).

The vulnerability exists in the FileHelper::absolutePath function where the path normalization was missing, returning $from . $ds . $to without proper normalization. This oversight allows bypassing the isSystemDir security check, enabling the creation of a Local filesystem within system directories. The vulnerability can be exploited by creating a new asset volume with the compromised filesystem, uploading a .ttml file containing malicious Twig code, and executing it through a new route. The CVSS v3.1 base score is 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability can lead to system compromise through Remote Code Execution, enabling attackers to take control of vulnerable systems, perform data exfiltration, execute malware, and potentially use the compromised system for pivoting to other targets. Despite requiring authenticated access and ALLOWADMINCHANGES=true configuration, the potential for RCE presents a significant security threat (GitHub Advisory).

The vulnerability has been patched in versions 4.12.2 and 5.4.3. The fix involves properly implementing path normalization in the FileHelper::absolutePath function. Users are strongly advised to upgrade to these patched versions to mitigate the risk (GitHub Patch).