Description
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
Problem types
Product status
4.0.0-RC1 (semver) before 4.17.8
4.17.8 (semver)
5.0.0-RC1 (semver) before 5.9.14
5.9.14 (semver)
Credits
Susen2
References
github.com/...ms/cms/security/advisories/GHSA-x76w-8c62-48mg (GHSA Advisory GHSA-x76w-8c62-48mg)
github.com/...ommit/d30df3112220db1ffd6726a3ed11857014c7fb27
www.vulncheck.com/...zation-in-assets-preview-thumb-endpoint (VulnCheck Advisory: Craft CMS - Missing Authorization in assets/preview-thumb Endpoint)