Craft Sprig
Monthly
The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.
The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.