Statamic
Monthly
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]
Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.
Statamic CMS versions before 5.73.11 and 6.4.0 expose user email addresses through the user fieldtype data endpoint to authenticated users lacking "view users" permissions, allowing information disclosure. An authenticated attacker with limited privileges can retrieve sensitive email information that should be restricted, potentially enabling targeted attacks or account enumeration.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 6.8 MEDIUM]
Authenticated Statamic CMS users (versions 6.0.0-6.3.x) can bypass privilege escalation verification checks to gain unauthorized elevated access, potentially enabling unauthorized sensitive operations depending on existing permissions. The vulnerability affects both Statamic and its Laravel framework integration, with a patch available in version 6.4.0.
Password reset poisoning in Statamic CMS before 6.3.3/5.73.10 allows attackers to steal password reset tokens by manipulating the Host header in reset requests. Patch available.
Versions 5.73.8 and below in addition to 6.0.0-alpha.1 versions up to 6.3.1 is affected by cross-site scripting (xss) (CVSS 8.1).
Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. A patch is available in version 6.2.3.
Statamic versions prior to 5.73.6 and 6.2.5 allow authenticated users without asset viewing permissions to download and access asset metadata through improper access controls. Only users with valid control panel access can exploit this vulnerability, as logged-out users are unaffected. A patch is available in the fixed versions.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 8.7 HIGH]
Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.
Statamic CMS versions before 5.73.11 and 6.4.0 expose user email addresses through the user fieldtype data endpoint to authenticated users lacking "view users" permissions, allowing information disclosure. An authenticated attacker with limited privileges can retrieve sensitive email information that should be restricted, potentially enabling targeted attacks or account enumeration.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 6.8 MEDIUM]
Authenticated Statamic CMS users (versions 6.0.0-6.3.x) can bypass privilege escalation verification checks to gain unauthorized elevated access, potentially enabling unauthorized sensitive operations depending on existing permissions. The vulnerability affects both Statamic and its Laravel framework integration, with a patch available in version 6.4.0.
Password reset poisoning in Statamic CMS before 6.3.3/5.73.10 allows attackers to steal password reset tokens by manipulating the Host header in reset requests. Patch available.
Versions 5.73.8 and below in addition to 6.0.0-alpha.1 versions up to 6.3.1 is affected by cross-site scripting (xss) (CVSS 8.1).
Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. A patch is available in version 6.2.3.
Statamic versions prior to 5.73.6 and 6.2.5 allow authenticated users without asset viewing permissions to download and access asset metadata through improper access controls. Only users with valid control panel access can exploit this vulnerability, as logged-out users are unaffected. A patch is available in the fixed versions.