Detections
Analytics

Craft CMS < 4.15.3 / 5.x < 5.7.5 External Control of Assumed-Immutable Web Parameter

medium Nessus Plugin ID 253648

Language:

Synopsis

The Craft CMS instance installed on the remote host is affected by an external control of assumed-immutable web parameter vulnerability.

Description

The version of Craft CMS installed on the remote host is prior to 4.15.3 or 5.x prior to 5.7.5. It is, therefore, affected by an external control of assumed-immutable web parameter vulnerability:

 - Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. (CVE-2025-35939)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade Craft CMS to version 4.15.3, 5.7.5 or later.

See Also

https://github.com/craftcms/cms/pull/17220

https://github.com/craftcms/cms/releases/tag/4.15.3

https://github.com/craftcms/cms/releases/tag/5.7.5

Plugin Details

Severity: Medium

ID: 253648

File Name: craftcms_CVE-2025-35939.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 8/22/2025

Updated: 8/22/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-35939

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Vulnerability Information

CPE: cpe:/a:craftcms:craft_cms

Required KB Items: installed_sw/Craft CMS

Patch Publication Date: 5/5/2025

Vulnerability Publication Date: 5/5/2025

CISA Known Exploited Vulnerability Due Dates: 6/23/2025

Reference Information

CVE: CVE-2025-35939