### [CVE-2024-52293](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52293)
![](https://img.shields.io/static/v1?label=Product&message=cms&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3E%3D%204.0.0-RC1%2C%20%3C%204.12.2%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-22%3A%20Improper%20Limitation%20of%20a%20Pathname%20to%20a%20Restricted%20Directory%20('Path%20Traversal')&color=brighgreen)

### Description

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

### POC

#### Reference
- https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv

#### Github
No PoCs found on GitHub currently.