CVE-2025-35939
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2025-04-15 CVE Reserved
- 2025-05-07 CVE Published
- 2025-06-02 Exploited in Wild
- 2025-06-06 CVE Updated
- 2025-06-23 KEV Due Date
- 2025-07-14 EPSS Updated
- ---------- First Exploit
CWE
- CWE-472: External Control of Assumed-Immutable Web Parameter
CAPEC
References (5)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Craft Search vendor "Craft" | CMS Search vendor "Craft" for product "CMS" | < 5.7.5 Search vendor "Craft" for product "CMS" and version " < 5.7.5" | en |
Affected
| ||||||
Craft Search vendor "Craft" | CMS Search vendor "Craft" for product "CMS" | < 4.15.3 Search vendor "Craft" for product "CMS" and version " < 4.15.3" | en |
Affected
|