The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f) only patched src/services/Fields.php, but the same vulnerable pattern exists in EntryTypesController::actionApplyOverrideSettings().
In src/controllers/EntryTypesController.php lines 381-387:
$settingsStr = $this->request->getBodyParam('settings');
parse_str($settingsStr, $postedSettings);
$settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace');
$settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, []));
if (!empty($settings)) {
Craft::configure($entryType, $settings);The $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via as or on prefixed keys, the same attack vector as the original advisory.
You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.
An attacker can use the same gadget chain from the original advisory to achieve RCE.
Users should update to Craft 5.9.11 to mitigate the issue.
References
GHSA-7jx7-3846-m7w7
d37389d
The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f) only patched
src/services/Fields.php, but the same vulnerable pattern exists inEntryTypesController::actionApplyOverrideSettings().In
src/controllers/EntryTypesController.phplines 381-387:The
$settingsarray fromparse_stris passed directly toCraft::configure()withoutComponent::cleanseConfig(). This allows injecting Yii2 behavior/event handlers viaasoronprefixed keys, the same attack vector as the original advisory.You need Craft control panel administrator permissions, and
allowAdminChangesmust be enabled for this to work.An attacker can use the same gadget chain from the original advisory to achieve RCE.
Users should update to Craft 5.9.11 to mitigate the issue.
References
GHSA-7jx7-3846-m7w7
d37389d