Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.

N/A

通过用户控制密钥绕过授权机制

Craft CMS 安全漏洞

Craft CMS是Craft CMS开源的一套内容管理系统（CMS）。 Craft CMS 4.17.8之前版本和5.9.14之前版本存在安全漏洞，该漏洞源于未强制执行按资源查看授权检查，可能导致未经授权读取私有资产内容。

N/A

N/A