Statamic's Markdown preview endpoint exposes sensitive user data

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This has been fixed in 5.73.16 and 6.7.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

输入验证不恰当

Statamic 信息泄露漏洞

Statamic是美国Statamic公司的一个基于 Laravel 构建的强大的平面文件 Cms。用于将所有内容、模板、资产和设置存储在文件而不是数据库中。 Statamic 5.73.16之前版本和6.7.2之前版本存在信息泄露漏洞，该漏洞源于markdown预览端点可能被操纵以返回任意字段类型的增强数据，可能导致经过身份验证的控制面板用户检索敏感用户数据。

N/A

N/A