The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f) only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController.
You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.
An attacker can use the same gadget chain from the original advisory to achieve RCE.
Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.
References
GHSA-7jx7-3846-m7w7
dfec463
78d181e
The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f) only patched
src/services/Fields.php, but the same vulnerable pattern exists inElementIndexesControllerandFieldsController.You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.
An attacker can use the same gadget chain from the original advisory to achieve RCE.
Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.
References
GHSA-7jx7-3846-m7w7
dfec463
78d181e