+ "details": "## Summary\n\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.\n\nThe existing patches add `cleanseConfig()` to `assembleLayoutFromPost()` and various `FieldsController` actions to strip Yii2 behavior/event injection keys (`as ` and `on ` prefixed keys). However, the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` is passed directly to `FieldLayout::createFromConfig()` without any sanitization, enabling the same behavior injection attack chain.\n\n## Impact\n\n- **Attack Type**: Remote Code Execution (RCE)\n- **Authentication Required**: Authenticated user with control panel access (`accessCp` permission)\n\n## Vulnerability Details\n\n### Root Cause\n\nIn `ElementIndexesController::actionFilterHud()` (line 493-494), the `fieldLayouts` body parameter is passed to `FieldLayout::createFromConfig()` without `cleanseConfig()`:\n\n```php\n// ElementIndexesController.php:485-494\nif ($conditionConfig) {\n $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed\n $condition = $conditionsService->createCondition($conditionConfig);\n} else {\n $condition = $this->elementType()::createCondition();\n}\n\nif (!empty($fieldLayouts)) {\n // fieldLayouts is NOT cleansed!\n $condition->setFieldLayouts(array_map(\n fn(array $config) => FieldLayout::createFromConfig($config),\n $fieldLayouts\n ));\n}\n```\n\nNote the inconsistency: `conditionConfig` is sanitized with `cleanseConfig()`, but `fieldLayouts` is not.\n\n### Attack Chain\n\n1. Send a `fieldLayouts` array containing config with `\"as <name>\"` prefixed keys\n2. `FieldLayout::createFromConfig($config)` -> `new self($config)` -> `Model::__construct($config)`\n3. `App::configure($this, $config)` processes each key\n4. `\"as rce\"` key -> `Component::__set(\"as rce\", $value)` -> `Yii::createObject($value)` -> instantiates `AttributeTypecastBehavior` and attaches it to the FieldLayout\n5. `\"on *\"` key -> registers a wildcard event handler\n6. `parent::__construct()` -> `init()` -> `setTabs([])` -> `getAvailableNativeFields()` -> `trigger(EVENT_DEFINE_NATIVE_FIELDS)`\n7. The wildcard handler fires -> `AttributeTypecastBehavior::beforeSave()` -> `typecastAttributes()`\n8. `$this->owner->typecastBeforeSave` -> resolved via `Component::__get()` -> returns the command string from the behavior's own property\n9. `call_user_func([ConsoleProcessus::class, 'execute'], $command)` -> `shell_exec($command)`\n\n### Prerequisites\n\n- A user account with control panel access",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments