Compliance Impact

This vulnerability allows an authenticated low-privileged user to bypass authorization controls and access preview content of assets they are not permitted to view, including private preview image routes containing sensitive asset IDs.

Such unauthorized exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal or sensitive data.

By allowing unauthorized access to private asset previews, the vulnerability increases the risk of data leakage, potentially violating confidentiality and privacy requirements mandated by these standards.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13 in the assets/preview-file endpoint.

The issue is an authorization bypass where the system does not enforce per-asset view authorization before returning preview content.

As a result, an authenticated low-privileged user can supply a controlled assetId for an asset they are not permitted to view and still receive preview response data, including a private preview image route containing the target private assetId.

This means unauthorized users can access sensitive preview metadata of restricted assets.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated low-privileged user to bypass access controls and view private preview data of assets they should not have permission to see.

The exposure of sensitive preview metadata, including private image routes and asset IDs, can lead to unauthorized disclosure of confidential or proprietary information.

Such unauthorized access can undermine the confidentiality of your digital assets and potentially lead to further exploitation or data leaks.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to a patched version where the issue is fixed.

• Upgrade to Craft CMS version 5.9.14 or later if you are using the 5.x series.
• Upgrade to Craft CMS version 4.17.8 or later if you are using the 4.x series.

These updates enforce proper authorization checks on the assets/preview-file endpoint, preventing unauthorized preview content access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the assets/preview-file endpoint in Craft CMS for authorization bypass. Specifically, an authenticated low-privileged user can attempt to supply a controlled assetId parameter for an asset they should not have access to and observe if preview content is returned.

A practical approach is to authenticate as a low-privileged user and send HTTP requests to the vulnerable endpoint with different assetId values, including those of assets that the user should not be authorized to view. If previewHtml or private preview image routes containing unauthorized asset IDs are returned, the system is vulnerable.

Example command using curl to test the endpoint (replace placeholders accordingly):

• curl -i -X POST 'https://your-craftcms-site.com/actions/assets/preview-file' -H 'Content-Type: application/json' -H 'Cookie: your_auth_cookie' -d '{"assetId": "<target_asset_id>"}'

Check the response for previewHtml content or private preview image routes referencing the assetId. Presence of such data indicates the vulnerability.

Useful 0 Not Useful 0