Alaeddine03

**Name of the Vulnerable Software and Affected Versions** TinaCMS versions prior to 2.1.8 **Description** TinaCMS, a headless content management system, has an issue where the CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with a path traversal vulnerability. This combination enables a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer machines by tricking them into visiting a malicious website while the TinaCMS dev server is running. The attack flow involves the developer running `tinacms dev`, then unknowingly visiting an attacker-controlled page. The attacker's JavaScript exploits the CORS misconfiguration and path traversal to read sensitive files, which are then exfiltrated to the attacker's server. The vulnerable component is the TinaCMS dev server, specifically the CORS configuration and the path traversal functionality. The API endpoint `/media/upload/` is susceptible to path traversal, allowing attackers to write arbitrary files. The API endpoint `/media/` allows for file deletion via the DELETE method, also vulnerable to path traversal. The `/media/list/` endpoint allows for filesystem enumeration. **Recommendations** Update to TinaCMS version 2.1.8 or later.

**Name of the Vulnerable Software and Affected Versions** TinaCMS versions prior to 2.1.8 **Description** Tina is a headless content management system. The TinaCMS CLI development server, before version 2.1.8, exposes media endpoints susceptible to path traversal. This allows attackers to read, write, and potentially delete arbitrary files on the filesystem outside the intended media directory. The server starts a local HTTP server (default port 4001) exposing endpoints such as '/media/list/*', '/media/upload/*', and '/media/*'. These endpoints process user-controlled path segments using `decodeURI()` and `path.join()` without validating that the resolved path remains within the configured media directory. The vulnerable code snippet uses `path.join()` to construct file paths without proper validation, allowing attackers to manipulate the path and access files outside the intended directory. Specifically, the `fullPath` variable, derived from the request URL, is used in conjunction with `path.join()` to create the `saveTo` path, which is then used to write files. An attacker can exploit this by crafting a malicious path segment in the URL to traverse the directory structure and access sensitive files. For example, using a path like '/media/upload/../../../../etc/passwd' could allow an attacker to read the contents of the '/etc/passwd' file. The vulnerability can be exploited in cloud IDEs, Docker or VM setups with port forwarding, misconfigured dev environments, and local malware scenarios. An attacker could read arbitrary files, write arbitrary files, delete or overwrite files, and potentially escalate to code execution. **Recommendations** Versions prior to 2.1.8 should be updated to version 2.1.8 or later.

**Name of the Vulnerable Software and Affected Versions** TinaCMS versions prior to 2.1.8 **Description** TinaCMS is a headless content management system. Before version 2.1.8, the TinaCMS CLI development server configures Vite with `server.fs.strict: false`, disabling Vite’s built-in filesystem access restriction. This allows an unauthenticated attacker who can reach the development server to read arbitrary files on the host system. The development server is configured in `packages/@tinacms/cli/src/next/vite/index.ts`. The server enables permissive CORS, potentially facilitating browser-based exploitation like DNS rebinding attacks. An attacker can read any file readable by the server process, including sensitive information like `/etc/passwd`, `/etc/shadow`, SSH private keys, and environment variables. This is particularly dangerous in cloud IDEs, Docker/VM setups with port forwarding, misconfigured environments, and systems susceptible to DNS rebinding attacks. **Recommendations** Versions prior to 2.1.8 should be updated to version 2.1.8 or later.