PT-2026-30518 · Packagist · Craftcms/Cms

Publicado

2026-03-26

·

Atualizado

2026-03-26

CVSS v4.0

1.3

Baixa

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Summary

An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data (previewHtml) for that private asset.
The returned preview HTML included a private preview image route containing the target private assetId, even though canView was false for the attacker account.

Details

  1. assets/preview-file accepts a maliciously controlled assetId and renders preview output.
  2. The action does not enforce per-asset view authorization prior to returning preview content.
  3. As a result, an authenticated user without asset-view permission can still obtain private preview output.
This affects Craft installations with authenticated users of mixed privilege levels with private assets.

Resources

  • d30df3112220db1ffd6726a3ed11857014c7fb27
  • b1cddf72c98a

Correção

Information Disclosure

IDOR

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200CWE-639CWE-862

Identificadores relacionados

GHSA-44PX-QJJC-XRHQ

Produtos afetados

Craftcms/Cms