PT-2026-25817 · Craft Cms+1 · Craft Cms+1
Neosprings
·
Published
2026-03-16
·
Updated
2026-03-18
·
CVE-2026-32265
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Amazon S3 for Craft CMS versions 2.0.2 through 2.2.4
Description
The Amazon S3 for Craft CMS plugin integrates Amazon S3 with Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The
BucketsController->actionLoadBucketData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is permitted to access.Recommendations
Update the plugin to version 2.2.5.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Amazon S3 For Craft Cms
Craft Cms