PT-2026-55353 · Packagist · Craftcms/Cms
Publicado
2026-07-02
·
Atualizado
2026-07-02
CVSS v4.0
7.1
Alta
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.
Description
Craft CMS’s
craftcontrollersAssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.The permission checks for this action allow:
deleteAssets:<sourceVolumeUid>for the folder being movedcreateFolders:<destVolumeUid>for the destination parent foldersaveAssets:<destVolumeUid>for the destination parent folder
The action does not require
deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.php
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);Indexed destination conflicts are deleted via the Assets service:
php
$assets->deleteFoldersByIds($existingFolder->id);Unindexed destination conflicts are deleted directly in the volume filesystem:
php
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);Impact
A user who cannot delete assets in a destination volume can still delete a destination folder and its contents by triggering a forced move into a conflicting name. This can cause asset loss, broken references in entries and fields that point to deleted assets, and operational disruption.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Craftcms/Cms