Severity: critical (10)
First published: Wed Sep 13 2023
Last modified: Wed Sep 20 2023
CWE: 94
### Impact This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. ### Mitigations * This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version. * Refresh your security key in case it has already been captured. You can do that by running the `php craft setup/security-key` command and copying the updated `CRAFT_SECURITY_KEY` environment variable to all production environments. * If you have any other private keys stored as environment variables (e.g., S3 or Stripe), refresh those as well. * Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database was compromised. You can do that by running `php craft resave/users --set passwordResetRequired --to "fn() => true"`. ### References https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476 https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857 https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
The severity of GHSA-4w8r-3xrw-v25g is critical with a severity value of 10.
To mitigate the vulnerability GHSA-4w8r-3xrw-v25g, you should update your Craft installation to at least version 4.4.15.
The impact of GHSA-4w8r-3xrw-v25g is high, but the complexity of the attack vector is low.
The recommended version to fix GHSA-4w8r-3xrw-v25g is at least Craft 4.4.15.
The CWE ID of GHSA-4w8r-3xrw-v25g is 94.
