漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Craft has an unauthenticated activation email trigger with potential user enumeration
Vulnerability Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
CVSS Information
N/A
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Craft CMS 安全漏洞
Vulnerability Description
Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 5.9.0-beta.2之前版本和4.17.0-beta.2之前版本存在安全漏洞,该漏洞源于actionSendActivationEmail端点对未经验证的用户开放且对挂起用户缺少权限检查,可能导致攻击者通过猜测用户ID触发激活邮件,从而在控制目标用户邮箱的情况下激活账户并获得系统访问权限。
CVSS Information
N/A
Vulnerability Type
N/A