2024-11-19
Platform: Craft CMS
Version: All versions before 5.4.9 and 4.12.8
Vulnerability: Information Disclosure
Severity: High
Date: November 13, 2024 (Published by NIST)
:
A vulnerability exists in Craft CMS that allows attackers with write permissions on system notification templates to read arbitrary files on the server. This is achieved by exploiting the `dataUrl` function, which can be embedded within a notification template to exfiltrate Base64-encoded file content through triggered emails.
Analytics: What Undercode Says:
This vulnerability poses a significant risk to Craft CMS users as it allows attackers to gain access to sensitive information on the server. Upgrading to Craft CMS version 5.4.9 or 4.12.8 is crucial to mitigate this risk.
Here are some additional points to consider:
The attacker needs write permissions on system notification templates to exploit this vulnerability.
The vulnerability can be used to steal sensitive data such as configuration files or database credentials.
It’s important to restrict access to system notification template editing to authorized personnel.
By following these recommendations, Craft CMS users can significantly reduce the risk of being exploited by this vulnerability.
References:
Reported By: Nvd.nist.gov
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help