Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
🔗 CVE IDs covered (1)
📋 Description
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination.
The permission checks for this action allow:
deleteAssets:<sourceVolumeUid>for the folder being movedcreateFolders:<destVolumeUid>for the destination parent foldersaveAssets:<destVolumeUid>for the destination parent folder
The action does not require deleteAssets on the destination volume or destination conflict folder. When force=true and a name conflict exists, the code deletes the destination folder to resolve the conflict.
$this->requireVolumePermissionByFolder('deleteAssets', $folderToMove);
$this->requireVolumePermissionByFolder('createFolders', $destinationFolder);
$this->requireVolumePermissionByFolder('saveAssets', $destinationFolder);
src/controllers/AssetsController.php:L751-L753
Indexed destination conflicts are deleted via the Assets service:
$assets->deleteFoldersByIds($existingFolder->id);
src/controllers/AssetsController.php:L798-L798
Unindexed destination conflicts are deleted directly in the volume filesystem:
$targetVolume->deleteDirectory(rtrim($destinationFolder->path, '/') . '/' . $folderToMove->name);
src/controllers/AssetsController.php:L815
Impact
A user who cannot delete assets in a destination volume can still delete a destination folder and its contents by triggering a forced move into a conflicting name. This can cause asset loss, broken references in entries and fields that point to deleted assets, and operational disruption.
🎯 Affected products2
- composer/craftcms/cms:>= 5.0.0-RC1, < 5.9.21
- composer/craftcms/cms:>= 4.0.0-RC1, < 4.17.14