{"id":"GHSA-vqxq-hvxw-9mv9","summary":"Statmic CMS vulnerable to account takeover via XSS and password reset link","details":"### Impact\n\nHTML files crafted to look like jpg files are able to be uploaded, allowing for XSS.\n\nThis affects:\n\n- front-end forms with asset fields without any mime type validation\n- asset fields in the control panel\n- asset browser in the control panel\n\nAdditionally, if the XSS is crafted in a specific way, the \"copy password reset link\" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur.\n\n### Patches\n\nIn versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. (Users may still trigger password reset emails.)\n\n### Credits\n\nStatamic thanks Niklas Schilling (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.","aliases":["CVE-2024-24570"],"modified":"2024-02-16T08:23:04.156773Z","published":"2024-02-01T20:51:46Z","related":["CVE-2024-24570"],"database_specific":{"severity":"HIGH","github_reviewed_at":"2024-02-01T20:51:46Z","github_reviewed":true,"cwe_ids":["CWE-79","CWE-80"],"nvd_published_at":"2024-02-01T17:15:11Z"},"references":[{"type":"WEB","url":"https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24570"},{"type":"PACKAGE","url":"https://github.com/statamic/cms"},{"type":"WEB","url":"http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Feb/17"}],"affected":[{"package":{"name":"statamic/cms","ecosystem":"Packagist","purl":"pkg:composer/statamic/cms"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.00"},{"fixed":"4.46.0"}]}],"versions":["v4.0.0","v4.0.0-alpha.1","v4.0.0-alpha.2","v4.0.0-alpha.3","v4.0.0-alpha.4","v4.0.0-alpha.5","v4.0.0-beta.1","v4.0.0-beta.2","v4.0.0-beta.3","v4.0.0-beta.4","v4.1.0","v4.1.1","v4.1.2","v4.1.3","v4.10.0","v4.10.1","v4.10.2","v4.11.0","v4.12.0","v4.13.0","v4.13.1","v4.13.2","v4.14.0","v4.15.0","v4.16.0","v4.17.0","v4.18.0","v4.19.0","v4.2.0","v4.20.0","v4.21.0","v4.22.0","v4.23.0","v4.23.1","v4.23.2","v4.24.0","v4.25.0","v4.26.0","v4.26.1","v4.27.0","v4.28.0","v4.29.0","v4.3.0","v4.30.0","v4.31.0","v4.32.0","v4.33.0","v4.34.0","v4.35.0","v4.36.0","v4.37.0","v4.38.0","v4.39.0","v4.4.0","v4.40.0","v4.41.0","v4.42.0","v4.42.1","v4.43.0","v4.44.0","v4.45.0","v4.5.0","v4.6.0","v4.7.0","v4.8.0","v4.9.0","v4.9.1","v4.9.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vqxq-hvxw-9mv9/GHSA-vqxq-hvxw-9mv9.json"}},{"package":{"name":"statamic/cms","ecosystem":"Packagist","purl":"pkg:composer/statamic/cms"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.17"}]}],"versions":["v3.0.0","v3.0.0-beta.1","v3.0.0-beta.10","v3.0.0-beta.11","v3.0.0-beta.12","v3.0.0-beta.13","v3.0.0-beta.14","v3.0.0-beta.15","v3.0.0-beta.16","v3.0.0-beta.17","v3.0.0-beta.18","v3.0.0-beta.19","v3.0.0-beta.2","v3.0.0-beta.20","v3.0.0-beta.21","v3.0.0-beta.22","v3.0.0-beta.23","v3.0.0-beta.24","v3.0.0-beta.25","v3.0.0-beta.26","v3.0.0-beta.27","v3.0.0-beta.28","v3.0.0-beta.29","v3.0.0-beta.3","v3.0.0-beta.30","v3.0.0-beta.31","v3.0.0-beta.32","v3.0.0-beta.33","v3.0.0-beta.34","v3.0.0-beta.35","v3.0.0-beta.36","v3.0.0-beta.37","v3.0.0-beta.38","v3.0.0-beta.39","v3.0.0-beta.4","v3.0.0-beta.40","v3.0.0-beta.41","v3.0.0-beta.42","v3.0.0-beta.43","v3.0.0-beta.44","v3.0.0-beta.45","v3.0.0-beta.46","v3.0.0-beta.5","v3.0.0-beta.6","v3.0.0-beta.7","v3.0.0-beta.8","v3.0.0-beta.9","v3.0.1","v3.0.10","v3.0.11","v3.0.12","v3.0.13","v3.0.14","v3.0.15","v3.0.16","v3.0.17","v3.0.18","v3.0.19","v3.0.2","v3.0.20","v3.0.21","v3.0.22","v3.0.23","v3.0.24","v3.0.25","v3.0.26","v3.0.27","v3.0.28","v3.0.29","v3.0.3","v3.0.30","v3.0.31","v3.0.32","v3.0.33","v3.0.34","v3.0.35","v3.0.35.1","v3.0.36","v3.0.36.1","v3.0.37","v3.0.38","v3.0.39","v3.0.4","v3.0.40","v3.0.41","v3.0.42","v3.0.43","v3.0.44","v3.0.45","v3.0.46","v3.0.47","v3.0.48","v3.0.49","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.0-alpha.1","v3.1.0-alpha.2","v3.1.0-alpha.3","v3.1.0-alpha.4","v3.1.0-beta.1","v3.1.0-beta.2","v3.1.0-beta.3","v3.1.1","v3.1.10","v3.1.11","v3.1.12","v3.1.13","v3.1.14","v3.1.15","v3.1.16","v3.1.17","v3.1.18","v3.1.19","v3.1.2","v3.1.20","v3.1.21","v3.1.22","v3.1.23","v3.1.24","v3.1.25","v3.1.26","v3.1.27","v3.1.28","v3.1.29","v3.1.3","v3.1.30","v3.1.31","v3.1.32","v3.1.33","v3.1.34","v3.1.35","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.1.8","v3.1.9","v3.2.0","v3.2.0-beta.1","v3.2.1","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.14","v3.2.15","v3.2.16","v3.2.17","v3.2.18","v3.2.19","v3.2.2","v3.2.20","v3.2.21","v3.2.22","v3.2.23","v3.2.24","v3.2.25","v3.2.26","v3.2.27","v3.2.28","v3.2.29","v3.2.3","v3.2.30","v3.2.31","v3.2.32","v3.2.33","v3.2.34","v3.2.35","v3.2.36","v3.2.37","v3.2.38","v3.2.39","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.0-beta.1","v3.3.0-beta.2","v3.3.0-beta.3","v3.3.0-beta.4","v3.3.0-beta.5","v3.3.0-beta.6","v3.3.0-beta.7","v3.3.1","v3.3.10","v3.3.11","v3.3.12","v3.3.13","v3.3.14","v3.3.15","v3.3.16","v3.3.17","v3.3.18","v3.3.19","v3.3.2","v3.3.20","v3.3.21","v3.3.22","v3.3.23","v3.3.24","v3.3.25","v3.3.26","v3.3.27","v3.3.28","v3.3.29","v3.3.3","v3.3.30","v3.3.31","v3.3.32","v3.3.33","v3.3.34","v3.3.35","v3.3.36","v3.3.37","v3.3.38","v3.3.39","v3.3.4","v3.3.40","v3.3.41","v3.3.42","v3.3.43","v3.3.44","v3.3.45","v3.3.46","v3.3.47","v3.3.48","v3.3.49","v3.3.5","v3.3.50","v3.3.51","v3.3.52","v3.3.53","v3.3.54","v3.3.55","v3.3.56","v3.3.57","v3.3.58","v3.3.59","v3.3.6","v3.3.60","v3.3.61","v3.3.62","v3.3.63","v3.3.64","v3.3.65","v3.3.66","v3.3.67","v3.3.68","v3.3.7","v3.3.8","v3.3.9","v3.4.0","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.2","v3.4.3","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vqxq-hvxw-9mv9/GHSA-vqxq-hvxw-9mv9.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"}]}