Angrybrad

**Name of the Vulnerable Software and Affected Versions** Google Cloud Storage for Craft CMS plugin versions prior to 2.2.1 **Description** The Google Cloud Storage for Craft CMS plugin integrates Google Cloud Storage with Craft CMS. Versions of the plugin on the 2.x branch prior to 2.2.1 allow unauthenticated users possessing a valid CSRF token to view a list of buckets the plugin has access to via the `DefaultController->actionLoadBucketData()` API endpoint. The `DefaultController->actionLoadBucketData()` endpoint is vulnerable. **Recommendations** Update the plugin to version 2.2.1.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.5 Craft CMS versions 5.0.0-RC1 through 5.9.11 **Description** Craft CMS contains a privilege escalation flaw via the `UsersController->actionImpersonateWithToken` function. A low-privilege user, or an unauthenticated user with access to a shared URL, can escalate their privileges to administrator level. This is achieved by abusing the impersonation functionality through a token-based bypass. The issue allows an attacker with a valid "preview token" to hijack requests into the impersonation endpoint, logging in as any user, including administrators, without authentication. Approximately 105,000 instances of Craft CMS are exposed globally. The vulnerability allows full admin takeover. The root cause is a bypass of security guards in the `actionPreview()` function, combined with insufficient verification of the token intended for the impersonation action. The vulnerability is exploitable by appending a crafted string to a preview URL. **Recommendations** Craft CMS versions 4.0.0-RC1 through 4.17.5 should be updated to version 4.17.6. Craft CMS versions 5.0.0-RC1 through 5.9.11 should be updated to version 5.9.12.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 5.9.7 Craft versions prior to 4.17.3 **Description** The software is susceptible to a reflected cross-site scripting (XSS) issue. A fix intended to sanitize return URLs used `strip tags()`, which only removes HTML tags but does not validate URL schemes. Payloads utilizing schemes like `javascript:` or `data:` bypass this sanitization, enabling malicious code execution when the return URL is rendered in an `href` attribute. Specifically, the `setReturnUrl()` function in `src/web/User.php` is affected. The issue arises because `strip tags()` operates on HTML syntax while the threat requires URL scheme validation. Exploitation involves crafting a malicious link containing a dangerous URL, such as `https://target.example.com/?returnUrl=javascript:alert(document.cookie)`, and sending it to a victim. When the victim clicks the link, the malicious URL is stored in the session and subsequently rendered in an `href` attribute, leading to the execution of the attacker-controlled code. This can lead to session hijacking, data exfiltration, phishing, and cross-site request forgery (CSRF). **Recommendations** Versions prior to 5.9.7 should be updated to version 5.9.7. Versions prior to 4.17.3 should be updated to version 4.17.3.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.4 Craft CMS versions 5.0.0-RC1 through 5.9.10 **Description** Craft CMS is a content management system. A remote code execution issue exists in the `ElementIndexesController` and `FieldsController` due to a behavior injection. To exploit this, Craft control panel administrator permissions and `allowAdminChanges` must be enabled. An attacker can leverage the same gadget chain as a previously reported advisory to achieve remote code execution. **Recommendations** Craft CMS versions 4.0.0-RC1 through 4.17.4 should be updated to version 4.17.5. Craft CMS versions 5.0.0-RC1 through 5.9.10 should be updated to version 5.9.11.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions prior to 4.15.3 Craft CMS versions prior to 5.7.5 **Description** Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess [session value]`, where `[session value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. **Recommendations** For versions prior to 4.15.3, update to version 4.15.3 or later to address this issue. For versions prior to 5.7.5, update to version 5.7.5 or later to address this issue.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions prior to 4.13.8 Craft CMS versions prior to 5.5.8 **Description** This is a remote code execution (RCE) vulnerability that affects Craft CMS versions 4 and 5, specifically those with compromised security keys. The vulnerability allows attackers to execute arbitrary code on the affected system, potentially leading to unauthorized access and data breaches. According to CISA, this vulnerability is being actively exploited in cyberattacks, with approximately 41,000 instances potentially affected. **Recommendations** Update to Craft CMS version 4.13.8 or later. Update to Craft CMS version 5.5.8 or later. If updating is not possible, rotate the security key and ensure its privacy to help mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Feed Me plugin version 4.6.1 Craft CMS version 4.6.1 Craft CMS version 4.6.1.1 **Description** An issue was discovered that allows remote attackers to cause a denial of service (DoS) via crafted strings to `Feed-Me Name` and `Feed-Me URL` fields, due to saving a feed using an Asset element type with no volume selected. **Recommendations** For Feed Me plugin version 4.6.1, update to a version that fixes the issue. For Craft CMS version 4.6.1, update to a version that fixes the issue. For Craft CMS version 4.6.1.1, update to a version that fixes the issue. As a temporary workaround, consider restricting access to the `Feed-Me Name` and `Feed-Me URL` fields until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CraftCMS versions 3.7.59 through 3.7.67 **Description** The issue allows an attacker to inject javascript code into the Volume Name, potentially leading to Cross Site Scripting (XSS) attacks. This could enable attackers to execute malicious scripts on the affected system. **Recommendations** For CraftCMS versions 3.7.59 through 3.7.67, update to version 3.7.68 or later to resolve the issue. As a temporary workaround, consider restricting access to the Volume Name field to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: craftcms version 3.1.31 Description: The issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the "/admin/settings/sites/new" API endpoint. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. Recommendations: For craftcms version 3.1.31, update to a version that contains a fix for this issue, as no specific workaround is provided for this version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.