CVE-2020-9322

Name of the Vulnerable Software and Affected Versions Statamic Core versions prior to 2.11.8

Description The /users endpoint is susceptible to cross-site scripting (XSS), potentially allowing an attacker to add an administrator user. Exploitation can occur through Cross-Site Request Forgery (CSRF). Stored XSS can be triggered by injecting a JavaScript payload within the username field during account registration. Reflected XSS can be triggered via the /users API endpoint.

Recommendations Update to Statamic Core version 2.11.8 or later. As a temporary workaround, restrict access to the /users API endpoint. Sanitize the username input field during account registration to prevent the injection of JavaScript payloads.