Vitalysim

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22 **Description** Craft CMS contains a Time-of-Check-Time-of-Use (TOCTOU) race condition within its token validation service, specifically affecting tokens configured for limited usage. The `getTokenRoute()` method performs non-atomic operations, reading a token’s usage count, verifying its limits, and then updating the database. An attacker can exploit this by sending multiple concurrent requests, potentially reusing a single-use impersonation token before the database update is finalized. Successful exploitation requires obtaining a valid, non-expired impersonation URL and bypassing any rate-limiting mechanisms. If the impersonation URL grants access to an account with higher privileges than the current user, this could lead to privilege escalation. **Recommendations** Craft versions 4.5.0-RC1 through 4.16.18 should be updated to version 4.16.19 or later. Craft versions 5.0.0-RC1 through 5.8.22 should be updated to version 5.8.23 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.0.0-RC1 through 4.17.0-beta.1 Craft version 5.9.0-beta.1 **Description** Craft is a platform for creating digital experiences. A privilege escalation issue exists in the GraphQL API. An authenticated user with write access to one asset volume can escalate their privileges and modify or transfer assets belonging to any other volume, including restricted or private volumes. The `saveAsset` GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume, enabling unauthorized cross-volume asset modification and transfer. **Recommendations** Update to Craft version 4.17.0-beta.1 or later. Update to Craft version 5.9.0-beta.1 or later.