Gcxwlp

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13 **Description** A low-privileged authenticated user can access private asset content by calling the `/assets/edit-image` API endpoint with an arbitrary `assetId` without proper authorization checks. The endpoint returns image bytes or a preview redirect, potentially disclosing private files. The issue stems from a lack of verification that the current user is authorized to view the requested asset. **Recommendations** Update Craft CMS to version 4.17.8 or later. Update Craft CMS to version 5.9.14 or later.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13 **Description** Craft CMS is a content management system. Guest users can access the Config Sync updater `index`, obtain signed `data`, and execute state-changing Config Sync actions (`regenerate-yaml`, `apply-yaml-changes`) without authentication. The `ConfigSyncController` extends `BaseUpdaterController`, and the base updater is anonymously accessible for control panel requests. The `index` endpoint emits signed updater state (`data`), which can be reused by guests in subsequent requests. Sensitive actions reachable through this method include `actionApplyYamlChanges`, `actionRegenerateYaml`, `applyExternalChanges`, and `regenerateExternalConfig`. An attacker can send a POST request to `/admin/actions/config-sync/index` to extract the signed data, then reuse it in subsequent requests to endpoints like `/admin/actions/config-sync/regenerate-yaml` or `/admin/actions/config-sync/apply-yaml-changes`, potentially causing unauthorized configuration state transitions and a service integrity risk. **Recommendations** Craft CMS versions 4.0.0-RC1 through 4.17.7 should be updated to version 4.17.8 or later. Craft CMS versions 5.0.0-RC1 through 5.9.13 should be updated to version 5.9.14 or later.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13 **Description** Craft CMS has an issue where an unauthenticated user can access transformed image bytes from private assets. This occurs by calling the `/assets/generate-transform` API endpoint with a private `assetId`. The endpoint does not verify access rights before providing a transform URL, allowing unauthorized access to content derived from private assets. **Recommendations** Update Craft CMS to version 4.17.8 or later. Update Craft CMS to version 5.9.14 or later.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 5.3.0 through 5.9.13 **Description** Craft CMS is a content management system. An authenticated control panel user with only accessCp privileges can move entries between sections using the `/actions/entries/move-to-section` API endpoint, even if they lack the necessary `saveEntries:{sectionUid}` permission for either the source or destination section. The issue stems from a lack of authorization checks within the `actionMoveToSection` function and `moveEntryToSection()` function, allowing direct POST requests to bypass UI filtering and perform unauthorized entry movements. This represents an authorization bypass that could lead to unauthorized content changes and disruption of editorial controls. **Recommendations** Update Craft CMS to version 5.9.14 or later.

**Name of the Vulnerable Software and Affected Versions** Wagtail versions prior to 6.3.8 Wagtail versions prior to 7.0.6 Wagtail versions prior to 7.2.3 Wagtail versions prior to 7.3.1 **Description** Wagtail, an open source content management system built on Django, contains a stored cross-site scripting (XSS) issue affecting the rendering of `TableBlock` blocks within a `StreamField`. A user with the ability to create or edit pages containing `TableBlock` `StreamField` blocks can set specially crafted `class` attributes on the block. This allows for the execution of arbitrary JavaScript code when the page is viewed. If viewed by a user with elevated privileges, this could potentially lead to actions being performed with those credentials. The issue is not exploitable by ordinary site visitors without access to the Wagtail admin interface and only impacts sites utilizing `TableBlock`. **Recommendations** Wagtail versions prior to 6.3.8 should be upgraded to version 6.3.8 or later. Wagtail versions prior to 7.0.6 should be upgraded to version 7.0.6 or later. Wagtail versions prior to 7.2.3 should be upgraded to version 7.2.3 or later. Wagtail versions prior to 7.3.1 should be upgraded to version 7.3.1 or later. As a temporary workaround, site owners unable to upgrade can remediate the issue by setting a `template` attribute on all `TableBlock` definitions, referencing a template that does not output `class` attributes.

**Name of the Vulnerable Software and Affected Versions** Wagtail versions prior to 6.3.8 Wagtail versions prior to 7.0.6 Wagtail versions prior to 7.2.3 Wagtail versions prior to 7.3.1 **Description** A stored cross-site scripting (XSS) issue exists within the `wagtail.contrib.simple translation` module. A user with Wagtail admin access can create a page with a specially crafted title. When another user performs the "Translate" action, this can cause arbitrary JavaScript code to execute, potentially allowing actions to be performed using the other user's credentials. The issue is not exploitable by ordinary site visitors without admin access. **Recommendations** Update to Wagtail version 6.3.8 or later. Update to Wagtail version 7.0.6 or later. Update to Wagtail version 7.2.3 or later. Update to Wagtail version 7.3.1 or later.