Signal Handler Use of a Non-reentrant Function

Summary

We identified a vulnerability in the latest version of Craft CMS, which contains an input-handling flaw in a Yii object creation path that allows any authenticated user to inject malicious configuration and execute arbitrary commands on the server. Yii's dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list. The affected versions are 4.0.0 prior to 4.17.12 and 5.0.0 prior to 5.9.18.