CVE-2024-56145

Published Dec 18, 2024

Last updated 2 months ago

CVSS critical 9.3

Overview

Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-94

Social media

Hype score
Not currently trending

  1. Craft CMS の RCE 脆弱性 CVE-2024-56145 (CVSS 9.3) が FIX:PoC も提供 https://t.co/pTBYFymwo9 Craft CMS の脆弱性が FIX とのことです。日本では、bit-par がサポートしている感じです。CMS は百花繚乱で、さまざまなプロダクトとサービスが提供されています。 #Assetnote #CMS #CraftCMS… https://t.co/a8cdGksnEO

    @iototsecnews

    3 Jan 2025

    156 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #Vulnerability #CraftCMS CVE-2024-56145 (CVSS 9.3): Remote Code Execution Vulnerability in Craft CMS, PoC Published https://t.co/DQGWq40XAA

    @Komodosec

    24 Dec 2024

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 A critical RCE vulnerability (CVE-2024-56145) in Craft CMS affects over 150K sites. Improper handling of PHP options allows attackers to exploit the bootstrap file. Immediate action is necessary! ⚠️ #CraftCMSExploits #RCEprotection #CybersecurityNews … https://t.co/1uFBeJOlNg

    @TweetThreatNews

    23 Dec 2024

    43 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-56145: Code Injection in Craft CMS, 9.3 rating 🔥 The vulnerability we almost missed allows an attacker to pass code in place of CLI arguments and gain RCE. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/Jfmk8GdX7H #cybersecurity #vulnerability_map https://t

    @Netlas_io

    23 Dec 2024

    388 Impressions

    1 Retweet

    8 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. CVE-2024-56145 alert 🚨 Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond The vulnerability is actively exploited in the wild and has been integrated into Patrowl. Our customers assets are protected. 🦉 #CyberSecurity #InfoSec ht

    @Patrowl_io

    23 Dec 2024

    61 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2024-56145 RCE in Craft CMS Unauthenticated RCE on CraftCMS when PHP register_argc_argv config setting is enabled Blog https://t.co/GmjdOUSL3z Query: HUNTER :/product.name="Craft CMS" FOFA : product="craft-cms" SHODAN : http.component:"Craft CMS" https://t.co/aUV2xpOTNJ

    @yunus_huse9663

    23 Dec 2024

    13 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2024-56145 (CVSS 9.3): Remote Code Execution Vulnerability in Craft CMS, PoC Published https://t.co/zg33yGzEwZ

    @Dinosn

    23 Dec 2024

    2502 Impressions

    5 Retweets

    28 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  8. Craft CMSに重大(Critical)な遠隔コード実行の脆弱性。CVE-2024-56145はCVSSスコア9.3で、php.iniのregister_argc_argvが有効(既定値)なことが条件。bootstrap/bootstrap.phpがCLI環境からの実行かを検証しないことが原因。 https://t.co/h5RBn3Ktkb php://filterラッパーはブロックされているが… https://t.co/7bA5HXCKyt

    @__kokumoto

    23 Dec 2024

    492 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2024-56145 (CVSS 9.3): Remote Code Execution Vulnerability in Craft CMS, PoC Published Discover the details of the critical vulnerability in Craft CMS that allows for unauthenticated remote code execution https://t.co/ByIqvB23UT

    @the_yellow_fall

    23 Dec 2024

    321 Impressions

    3 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  10. 🗣 CVE-2024-56145 (CVSS 9.3): Remote Code Execution Vulnerability in Craft CMS, PoC Published https://t.co/3jT4Kh385k

    @fridaysecurity

    23 Dec 2024

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Top 5 Trending CVEs: 1 - CVE-2024-54150 2 - CVE-2023-34990 3 - CVE-2024-12356 4 - CVE-2024-56145 5 - CVE-2024-12727 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    22 Dec 2024

    161 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2024-56145 RCE in Craft CMS Unauthenticated RCE on CraftCMS when PHP register_argc_argv config setting is enabled Blog https://t.co/yGWrS8XLvA Query: HUNTER :/product.name="Craft CMS" FOFA : product="craft-cms" SHODAN : http.component:"Craft CMS" #BugBounty #cybersecurity

    @TodayCyberNews

    22 Dec 2024

    788 Impressions

    5 Retweets

    17 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2024-56145:Craft CMS 漏洞利用工具 https://t.co/UJaKRNjUJC

    @turne85540

    22 Dec 2024

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. GitHub - Chocapikk/CVE-2024-56145: Unauthenticated RCE on CraftCMS when PHP `register_argc_argv` config setting is enabled - https://t.co/3iRqJRtzXI

    @piedpiper1616

    21 Dec 2024

    699 Impressions

    3 Retweets

    9 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨 [CVE-2024-56145] Exploit released! 🚨 Details, PoC, and setup instructions: 🔗 https://t.co/VpvdJnhSYa Learn more: 📖 https://t.co/sTtU8tUoAD #bugbountytips #BugBounty https://t.co/9Ad2GLbhLp

    @wtf_brut

    20 Dec 2024

    2363 Impressions

    10 Retweets

    58 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 [CVE-2024-56145] Exploit released! 🚨 I’ve successfully reproduced the Craft CMS RCE vulnerability, thanks to the outstanding research by @Assetnote. Details, PoC, and setup instructions: 🔗 https://t.co/li7sSkEIQJ Learn more: 📖 https://t.co/Hp7EVIW3HR 🙏 Huge thanks to… h

    @Chocapikk_

    20 Dec 2024

    13219 Impressions

    46 Retweets

    211 Likes

    119 Bookmarks

    4 Replies

    3 Quotes

  17. Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: https://t.co/5XKTpW5SNq https://t.co/dfznF5JfJ9

    @assetnote

    19 Dec 2024

    4806 Impressions

    22 Retweets

    76 Likes

    22 Bookmarks

    2 Replies

    0 Quotes

  18. We discovered a pre-authentication RCE vulnerability in Craft CMS caused by an obscure PHP foot gun (CVE-2024-56145), approx 150k sites created with Craft CMS. You can read @Assetnote's Security Research team's blog on the issue: https://t.co/UuzXePNVeT #attacksurfacemanagement

    @infosec_au

    19 Dec 2024

    15796 Impressions

    76 Retweets

    306 Likes

    99 Bookmarks

    6 Replies

    1 Quote

  19. CVE-2024-56145 Remote Code Execution Vulnerability in Craft CMS Requires Urgent ... https://t.co/mcUU9lJKYE Vulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x

    @VulmonFeeds

    19 Dec 2024

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2024-56145 Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if… https://t.co/rKXOw4Zhgz

    @CVEnew

    18 Dec 2024

    353 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References