CVE-2024-24570: Statamic account takeover via XSS and password reset link
First published: Thu Feb 01 2024(Updated: )
### Impact HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects: - front-end forms with asset fields without any mime type validation - asset fields in the control panel - asset browser in the control panel Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. ### Patches In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled. (Users may still trigger password reset emails.) ### Credits Statamic thanks Niklas Schilling (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/statamic/cms | <3.4.17 | 3.4.17 |
| composer/statamic/cms | >=4.00<4.46.0 | 4.46.0 |
| Statamic Statamic | <3.4.17 | |
| Statamic Statamic | >=4.0.0<4.46.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9
- https://nvd.nist.gov/vuln/detail/CVE-2024-24570
- https://github.com/advisories/GHSA-vqxq-hvxw-9mv9 (Advisory)
- http://seclists.org/fulldisclosure/2024/Feb/17
- http://packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.html
Frequently Asked Questions
What is the severity of CVE-2024-24570?
CVE-2024-24570 has a moderate severity due to the potential for cross-site scripting (XSS) attacks through improper file uploads.
How do I fix CVE-2024-24570?
To fix CVE-2024-24570, update to Statamic CMS version 3.4.17 or 4.46.0 which include necessary security patches.
What systems are affected by CVE-2024-24570?
CVE-2024-24570 affects Statamic CMS versions earlier than 3.4.17 and versions from 4.0.0 up to 4.46.0.
What kind of attacks can be executed due to CVE-2024-24570?
CVE-2024-24570 can allow attackers to execute cross-site scripting (XSS) attacks by uploading malicious HTML files disguised as image files.
Is there a workaround for CVE-2024-24570?
A potential workaround for CVE-2024-24570 is to implement strict MIME type validation for uploaded files in your application.
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vqxq-hvxw-9mv9
- alias/CVE-2024-24570
- collector/nvd-cve
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- vendor/statamic
- canonical/statamic statamic
- version/statamic statamic/4.0.0
- package-manager/composer