Severity: critical (10)

First published: Wed Sep 13 2023

Last modified: Wed Sep 20 2023

CWE: 94

### Impact This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. ### Mitigations * This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version. * Refresh your security key in case it has already been captured. You can do that by running the `php craft setup/security-key` command and copying the updated `CRAFT_SECURITY_KEY` environment variable to all production environments. * If you have any other private keys stored as environment variables (e.g., S3 or Stripe), refresh those as well. * Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database was compromised. You can do that by running `php craft resave/users --set passwordResetRequired --to "fn() => true"`. ### References https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476 https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857 https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

Any of

  • composer/craftcms/cms
    fixed in: 4.4.15
SecAlerts Pty Ltd.
Fortitude Valley,
QLD 4006, Australia
© Copyright 2023 - ABN: 70 645 966 203, ACN: 645 966 203