VDB
KO
HIGH

GHSA-86vw-x4ww-x467

Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview

Details

The `actionRenderCardPreview()` method in `FieldsController` passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without calling `Component::cleanseConfig()`. This allows Yii2 event handler injection via `on eventName` keys in the config array, leading to arbitrary code execution.

This is the same vulnerability pattern that was fixed in GHSA-4484-8v2f-5748 (same file, `_fldComponent` method correctly uses `cleanseConfig`), GHSA-qx2q-q59v-wf3j (EntryTypesController), and GHSA-2fph-6v5w-89hh (ElementIndexesController).

## PoC

As an admin user with a valid session:

``` POST /admin/actions/fields/render-card-preview HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: CraftSessionId=<session>

fieldLayoutConfig[on+init]=phpinfo&CRAFT_CSRF_TOKEN=<token> ```

When the FieldLayout object is constructed, Yii2 processes the `on init` key as an event handler registration. During `Component::init()`, the `init` event is triggered, calling `phpinfo()`. The phpinfo output (which includes environment variables, potentially containing database credentials and `CRAFT_SECURITY_KEY`) will appear in the response.

## Impact

An authenticated admin can achieve RCE through Yii2 event handler injection. While this requires admin access (same as GHSA-4484-8v2f-5748, which was rated moderate), it allows arbitrary PHP function execution and information disclosure via phpinfo.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / craftcms/cms
Introduced in: 5.5.0 Fixed in: 5.9.14
Fix composer require craftcms/cms:^5.9.14

References