CVE-2024-52600: 
PHP vulnerability analysis and mitigation

Statamic, a Laravel and Git powered content management system (CMS), disclosed a path traversal vulnerability (CVE-2024-52600) affecting versions prior to 5.17.0. The vulnerability allows assets uploaded with specially crafted filenames to be placed in locations different than what was configured. The issue was discovered and disclosed on November 19, 2024 (GitHub Advisory).

The vulnerability exists in the asset upload functionality where files with appropriately crafted filenames could bypass intended path restrictions. The issue affects front-end forms with assets fields and other upload-enabled locations. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity (GitHub Advisory).

When exploited, the vulnerability allows attackers to upload files to different locations on the server than intended and potentially override existing files. However, it's important to note that traversal outside an asset container was not possible. The impact is limited to users with upload permissions (GitHub Advisory).

The vulnerability has been fixed in Statamic version 5.17.0. Users are advised to upgrade to this version or later to address the path traversal vulnerability (GitHub Advisory).