Statamic allows unauthorized content access through missing authorization in its revision controllers

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

授权机制缺失

Statamic 安全漏洞

Statamic是美国Statamic公司的一个基于 Laravel 构建的强大的平面文件 Cms。用于将所有内容、模板、资产和设置存储在文件而不是数据库中。 Statamic 5.73.16之前版本和6.7.2之前版本存在安全漏洞，该漏洞源于经过身份验证的控制面板用户可以查看任何启用修订的集合的条目修订，可能导致绕过授权检查并暴露条目字段值和蓝图数据。

N/A

N/A