Singetu0096

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.17.4 Craft versions prior to 5.9.7 **Description** Craft CMS has a Cross-Site Request Forgery (CSRF) issue in the preview token endpoint. The endpoint, located at `/actions/preview/create-token`, accepts an attacker-supplied `previewToken`. The action does not require a POST request and does not enforce a CSRF token, allowing an attacker to force a logged-in editor to generate a preview token chosen by the attacker. This token can then be used by the attacker, without authentication, to access previewed or unpublished content authorized for the victim’s preview scope. **Recommendations** Update to Craft version 4.17.4 or later. Update to Craft version 5.9.7 or later.

Name of the Vulnerable Software and Affected Versions: Craft versions 4.0.0-RC1 through 4.16.5 Craft versions 5.0.0-RC1 through 5.8.6 Description: Craft is a platform for creating digital experiences. A remote code execution issue exists due to Server-Side Template Injection (SSTI) in Twig. Recommendations: Update to Craft version 4.16.6 or later. Update to Craft version 5.8.7 or later.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.14.12 Craft CMS versions 5.0.0-RC1 through 5.6.15 **Description** Craft is a content management system that contains a potential remote code execution vulnerability via Twig SSTI. This issue can be exploited if an attacker has administrator access and the `ALLOW ADMIN CHANGES` option is enabled. It is estimated that around 23,000 devices may be affected. To mitigate the issue, users should update to the patched versions 4.14.13 or 5.6.15. **Recommendations** For Craft CMS versions 4.0.0-RC1 through 4.14.12, update to version 4.14.13 to resolve the issue. For Craft CMS versions 5.0.0-RC1 through 5.6.15, update to version 5.6.15 to resolve the issue. As a temporary workaround, consider setting `ALLOW ADMIN CHANGES` to false in production to minimize the risk of exploitation.