Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability affects the Craft CMS content management system prior to versions 4.17.0-beta.1 and 5.9.0-beta.1. It allows a user with the "Create Entries" permission to manipulate the entry creation process by injecting the authorId or authorIds[] parameter into the POST request. The backend processes this parameter without verifying if the user is authorized to assign authorship to others. As a result, an attacker can spoof the authorship of new entries by attributing them to any user, including administrators, even if they do not have permission to do so.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper authorization checks and insufficient control over which object attributes can be modified via user input, specifically allowing mass assignment of the authorId attribute. This flaw enables unauthorized modification of entry authorship during creation.'}] [2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts because it allows an attacker with limited permissions to create entries that appear to be authored by other users, including administrators. This authorship spoofing can be used to bypass review processes or gain trust by posting content under the guise of trusted or high-privilege users.

Such unauthorized content could be malicious or inappropriate, potentially damaging the reputation of the site or misleading users. It also represents a permission escalation risk, as attackers can effectively impersonate higher-privileged users within the CMS.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring POST requests to the Craft CMS entry creation endpoint for the presence of the authorId or authorIds[] parameter, which should not normally be present for users without the necessary permissions.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to intercept and inspect HTTP POST requests during entry creation, looking for injected authorId parameters that assign authorship to users other than the requestor.'}, {'type': 'paragraph', 'content': 'Commands or tools that can be used include proxy tools like Burp Suite or command-line tools such as curl combined with grep to analyze logs or intercepted requests.'}, {'type': 'list_item', 'content': 'Use a proxy tool (e.g., Burp Suite) to intercept POST requests to the CMS entry creation endpoint and check for authorId or authorIds[] parameters.'}, {'type': 'list_item', 'content': "Search web server or application logs for POST requests containing 'authorId' or 'authorIds[]' parameters using commands like: grep -i 'authorId' /path/to/access.log"}, {'type': 'list_item', 'content': 'Use curl to simulate entry creation requests and verify if authorId parameters are accepted without proper authorization.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Craft CMS to a patched version where this vulnerability is fixed, specifically version 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict users with 'Create Entries' permission from accessing the entry creation functionality or closely monitor and audit entry creation activities."}, {'type': 'paragraph', 'content': 'Additionally, review and tighten permission settings to ensure that only trusted users have the ability to create entries.'}, {'type': 'list_item', 'content': 'Upgrade Craft CMS to version 4.17.0-beta.1, 5.9.0-beta.1, or later.'}, {'type': 'list_item', 'content': "Restrict or monitor users with 'Create Entries' permission until the patch is applied."}, {'type': 'list_item', 'content': 'Audit entry creation logs for suspicious authorId parameter usage.'}] [2, 3]

Useful 0 Not Useful 0