PT-2026-25818 · Craft Cms+1 · Craft Cms+1

Neosprings

Publicado

2026-03-16

Atualizado

2026-03-18

CVE-2026-32268

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Azure Blob Storage for Craft CMS plugin versions prior to 2.1.1

Description The Azure Blob Storage for Craft CMS plugin integrates Azure Blob Storage with Craft CMS. Versions prior to 2.1.1 allow unauthenticated users to view a list of buckets the plugin has access to. The /DefaultController->actionLoadContainerData() API endpoint permits unauthenticated users possessing a valid CSRF token to enumerate accessible buckets. Due to the potential for sensitive data exposure in Azure error messages, additional attack vectors may be present.

Recommendations Update to version 2.1.1 of the plugin.

Exploit

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2026-32268

GHSA-Q6FM-P73F-X862

Produtos afetados

Azure Blob Storage For Craft Cms

Craft Cms

PT-2026-25818 · Craft Cms+1 · Craft Cms+1

CVE-2026-32268

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10