File Disclosure Vulnerability in Craft CMS by Craft
CVE-2024-52292

6.5MEDIUM

Key Information:

Vendor
Craftcms
Status
Craft Cms
Vendor
CVE Published:
13 November 2024

Summary

A vulnerability in Craft CMS allows attackers with write access to system notification templates to exploit the dataUrl function. By embedding malicious code, an attacker can trigger a system email that contains Base64-encoded content of sensitive files. This encoded payload can be decoded, leading to unauthorized access to arbitrary files on the server. The issue has been addressed in versions 5.4.9 and 4.12.8.

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-52292 : File Disclosure Vulnerability in Craft CMS by Craft | SecurityVulnerability.io