Skip to content
Threat Feed
high advisory

Craft CMS RCE via Missing cleanseConfig in FieldsController

An authenticated administrator in Craft CMS (versions 5.5.0 to 5.9.13) is vulnerable to Remote Code Execution (RCE) via a missing input sanitization vulnerability in the `actionRenderCardPreview()` method of `FieldsController`, allowing Yii2 event handler injection through specially crafted `fieldLayoutConfig` POST parameters, which enables arbitrary PHP code execution and sensitive information disclosure.

A critical vulnerability (GHSA-86vw-x4ww-x467) has been identified in Craft CMS, affecting versions 5.5.0 through 5.9.13, that allows authenticated administrators to achieve Remote Code Execution (RCE). The actionRenderCardPreview() method within the FieldsController component incorrectly passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without invoking Component::cleanseConfig(). This oversight permits attackers to inject malicious Yii2 event handlers through on eventName keys in the configuration array, leading to arbitrary PHP function execution. The impact extends to information disclosure, potentially exposing sensitive data like database credentials and CRAFT_SECURITY_KEY via phpinfo() output, posing a significant risk of full system compromise for affected installations.

Attack Chain

  1. An attacker obtains or compromises legitimate administrative credentials for a Craft CMS instance.
  2. The authenticated attacker crafts a malicious HTTP POST request targeting the /admin/actions/fields/render-card-preview endpoint.
  3. The request includes a fieldLayoutConfig POST parameter containing a specially formed on+init key, such as fieldLayoutConfig[on+init]=phpinfo.
  4. The vulnerable actionRenderCardPreview() method processes this parameter without proper sanitization.
  5. When the FieldLayout object is constructed, Yii2 interprets the on init key as an event handler registration.
  6. During the Component::init() execution, the registered init event is triggered, leading to the execution of the attacker-supplied PHP function (e.g., phpinfo()).
  7. The server responds with the output of the executed PHP function, potentially disclosing sensitive environment variables, system information, and configuration secrets, or executing arbitrary commands.

Impact

Successful exploitation allows an authenticated administrator to achieve full Remote Code Execution (RCE) on the Craft CMS server. This can lead to complete compromise of the web server and its underlying data, including the exfiltration of sensitive information such as database credentials and the CRAFT_SECURITY_KEY. The ability to execute arbitrary PHP functions allows for a wide range of malicious activities, from defacement and data manipulation to establishing persistent backdoors and escalating privileges within the hosting environment. While requiring existing admin access, the severity of the code execution and information disclosure capabilities represents a critical risk.

Recommendation

  • Immediately update Craft CMS installations to a patched version beyond 5.9.13 to remediate GHSA-86vw-x4ww-x467.
  • Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts against /admin/actions/fields/render-card-preview.
  • Monitor web server access logs for requests to /admin/actions/fields/render-card-preview containing unusual or suspicious query parameters.
  • Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for all Craft CMS administrator accounts to prevent credential compromise.
  • Review the references URL for the official advisory and patching instructions from Craft CMS.

Detection coverage 1

Detect Craft CMS RCE Attempt via FieldsController - GHSA-86vw-x4ww-x467

high

Detects exploitation attempts against Craft CMS CVE GHSA-86vw-x4ww-x467 - POST request to render-card-preview endpoint with Yii2 event handler injection via fieldLayoutConfig parameter.

sigma tactics: execution techniques: T1059.006 sources: webserver

Detection queries are available on the platform. Get full rules →