Jasonvarga

**Name of the Vulnerable Software and Affected Versions** Statmatic versions prior to 5.73.11 Statmatic versions prior to 6.4.0 **Description** Statmatic is a Laravel and Git powered content management system (CMS). Before versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users lacking the "view users" permission. The data endpoint is accessed via the `/user` API endpoint. The vulnerable parameter is the user's email address. **Recommendations** Update to version 5.73.11 or later. Update to version 6.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Statmatic versions prior to 5.73.11 Statmatic versions prior to 6.4.0 **Description** Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, a stored cross-site scripting (XSS) issue exists in the svg and icon related components. This allows authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. **Recommendations** Versions prior to 5.73.11 should be updated to version 5.73.11 or later. Versions prior to 6.4.0 should be updated to version 6.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Statamic versions 5.73.8 and below, and 6.0.0-alpha.1 through 6.3.1 **Description** Statamic, a Laravel and Git powered content management system (CMS), is affected by a Stored Cross-Site Scripting (XSS) issue in the `html` fieldtypes. This flaw allows authenticated users with field management permissions to inject malicious JavaScript code into content fields. When higher-privileged users view the affected content, the malicious script executes in their browsers, potentially leading to session hijacking or credential theft. The vulnerability allows for potential privilege escalation. **Recommendations** Versions prior to 6.3.2 are vulnerable. Versions prior to 5.73.9 are vulnerable.

**Name of the Vulnerable Software and Affected Versions** Statamic versions 5.3.0 through 5.6.1 **Description** The issue affects sites running Statamic versions between 5.3.0 and 5.6.1, using the `user:register form` tag, file-based user accounts, and having users registered during that time period. Users registering via the `user:register form` tag will have their password confirmation stored in plain text in their user file. This information is only visible to users with access to read user yaml files, typically developers of the application itself. The issue has been patched in version 5.6.2. **Recommendations** For versions 5.3.0 through 5.6.1, system administrators are advised to upgrade their deployments to version 5.6.2 or later. Affected users should have their password reset. To identify affected users, the following query can be used in `php artisan tinker`: `StatamicFacadesUser::query()->whereNotNull('password confirmation')->get()->map->email`. To clear the `password confirmation` value and existing password, requiring users to reset their password before the next login attempt, use the following query in `tinker`: `StatamicFacadesUser::query()->whereNotNull('password confirmation')->get()->each(fn ($user) => $user->remove('password confirmation')->passwordHash(null)->save())`. If user files are committed to a public git repo, consider clearing the sensitive data from the git history.