CVE-2023-30179 Information

Description

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings lead to Remote Code Execution.

Reference

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442—2023-03-14 https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection