SCA: security update for craftcms/cms (GHSA-7vrx-9684-xrf2)

medium Tenable Self-Hosted Container Security Plugin ID 434322

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could
be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that
require authentication to the login page and generates a session file on the server at
'/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is
provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the
client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary
values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and
4.15.3 have been released to address this issue. (CVE-2025-35939)

See Also

https://github.com/advisories/GHSA-7vrx-9684-xrf2

Plugin Details

Severity: Medium

ID: 434322

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4

Percentile: 53.58

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-35939

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2025

Vulnerability Publication Date: 5/7/2025

CISA Known Exploited Vulnerability Due Dates: 6/23/2025

Reference Information

CVE: CVE-2025-35939

cwe: CWE-472