{"id":"CVE-2023-48217","summary":"Remote code execution via form uploads in statamic/cms","details":"Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the \"Forms\" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-2r53-9295-3m86"],"modified":"2026-03-20T12:31:44.480581Z","published":"2023-11-14T21:38:37.590Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/48xxx/CVE-2023-48217.json","cwe_ids":["CWE-94"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/48xxx/CVE-2023-48217.json"},{"type":"ADVISORY","url":"https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48217"},{"type":"FIX","url":"https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/statamic/cms","events":[{"introduced":"79f5628550a21c4a02c2787f81fbfc165a1c97fe"},{"fixed":"24b73ab9a6965e60b7c335b76f95fe57c9dbea67"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.34.0"}]}},{"type":"GIT","repo":"https://github.com/statamic/cms","events":[{"introduced":"0"},{"fixed":"8a808780b0756b18c921a55f53e97768c877f9c6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.4.14"}]}}],"versions":["v3.0.0","v3.0.0-beta.1","v3.0.0-beta.10","v3.0.0-beta.11","v3.0.0-beta.12","v3.0.0-beta.13","v3.0.0-beta.14","v3.0.0-beta.15","v3.0.0-beta.16","v3.0.0-beta.17","v3.0.0-beta.18","v3.0.0-beta.19","v3.0.0-beta.2","v3.0.0-beta.20","v3.0.0-beta.21","v3.0.0-beta.22","v3.0.0-beta.23","v3.0.0-beta.24","v3.0.0-beta.25","v3.0.0-beta.26","v3.0.0-beta.27","v3.0.0-beta.28","v3.0.0-beta.29","v3.0.0-beta.3","v3.0.0-beta.30","v3.0.0-beta.31","v3.0.0-beta.32","v3.0.0-beta.33","v3.0.0-beta.34","v3.0.0-beta.35","v3.0.0-beta.36","v3.0.0-beta.37","v3.0.0-beta.38","v3.0.0-beta.39","v3.0.0-beta.4","v3.0.0-beta.40","v3.0.0-beta.41","v3.0.0-beta.42","v3.0.0-beta.43","v3.0.0-beta.44","v3.0.0-beta.45","v3.0.0-beta.46","v3.0.0-beta.5","v3.0.0-beta.6","v3.0.0-beta.7","v3.0.0-beta.8","v3.0.0-beta.9","v3.0.1","v3.0.10","v3.0.11","v3.0.12","v3.0.13","v3.0.14","v3.0.15","v3.0.16","v3.0.17","v3.0.18","v3.0.19","v3.0.2","v3.0.20","v3.0.21","v3.0.22","v3.0.23","v3.0.24","v3.0.25","v3.0.26","v3.0.27","v3.0.28","v3.0.29","v3.0.3","v3.0.30","v3.0.31","v3.0.32","v3.0.33","v3.0.34","v3.0.35","v3.0.36","v3.0.37","v3.0.38","v3.0.39","v3.0.4","v3.0.40","v3.0.41","v3.0.42","v3.0.43","v3.0.44","v3.0.45","v3.0.46","v3.0.47","v3.0.48","v3.0.49","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.0-alpha.1","v3.1.0-alpha.2","v3.1.0-alpha.3","v3.1.0-alpha.4","v3.1.0-beta.1","v3.1.0-beta.2","v3.1.0-beta.3","v3.1.1","v3.1.10","v3.1.11","v3.1.12","v3.1.13","v3.1.14","v3.1.15","v3.1.16","v3.1.17","v3.1.18","v3.1.19","v3.1.2","v3.1.20","v3.1.21","v3.1.22","v3.1.23","v3.1.24","v3.1.25","v3.1.26","v3.1.27","v3.1.28","v3.1.29","v3.1.3","v3.1.30","v3.1.31","v3.1.32","v3.1.33","v3.1.34","v3.1.35","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.1.8","v3.1.9","v3.2.0","v3.2.0-beta.1","v3.2.1","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.14","v3.2.15","v3.2.16","v3.2.17","v3.2.18","v3.2.19","v3.2.2","v3.2.20","v3.2.21","v3.2.22","v3.2.23","v3.2.24","v3.2.25","v3.2.26","v3.2.27","v3.2.28","v3.2.29","v3.2.3","v3.2.30","v3.2.31","v3.2.32","v3.2.33","v3.2.34","v3.2.35","v3.2.36","v3.2.37","v3.2.38","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.0-beta.1","v3.3.0-beta.2","v3.3.0-beta.3","v3.3.0-beta.4","v3.3.0-beta.5","v3.3.0-beta.6","v3.3.0-beta.7","v3.3.1","v3.3.10","v3.3.11","v3.3.12","v3.3.13","v3.3.14","v3.3.15","v3.3.16","v3.3.17","v3.3.18","v3.3.19","v3.3.2","v3.3.20","v3.3.21","v3.3.22","v3.3.23","v3.3.24","v3.3.25","v3.3.26","v3.3.27","v3.3.28","v3.3.29","v3.3.3","v3.3.30","v3.3.31","v3.3.32","v3.3.33","v3.3.34","v3.3.35","v3.3.36","v3.3.37","v3.3.38","v3.3.39","v3.3.4","v3.3.40","v3.3.41","v3.3.42","v3.3.43","v3.3.44","v3.3.45","v3.3.46","v3.3.47","v3.3.48","v3.3.49","v3.3.5","v3.3.50","v3.3.51","v3.3.52","v3.3.53","v3.3.54","v3.3.55","v3.3.56","v3.3.57","v3.3.58","v3.3.59","v3.3.6","v3.3.60","v3.3.61","v3.3.62","v3.3.63","v3.3.64","v3.3.65","v3.3.66","v3.3.7","v3.3.8","v3.3.9","v3.4.0","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.2","v3.4.3","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v4.0.0","v4.1.0","v4.1.1","v4.1.2","v4.1.3","v4.10.0","v4.10.1","v4.10.2","v4.11.0","v4.12.0","v4.13.0","v4.13.1","v4.13.2","v4.14.0","v4.15.0","v4.16.0","v4.17.0","v4.18.0","v4.19.0","v4.2.0","v4.20.0","v4.21.0","v4.22.0","v4.23.0","v4.23.1","v4.23.2","v4.24.0","v4.25.0","v4.26.0","v4.26.1","v4.27.0","v4.28.0","v4.29.0","v4.3.0","v4.30.0","v4.31.0","v4.32.0","v4.33.0","v4.4.0","v4.5.0","v4.6.0","v4.7.0","v4.8.0","v4.9.0","v4.9.1","v4.9.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-48217.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}