GHSA-x76w-8c62-48mgMediumDisclosed before NVD
Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission
📋 Description
Summary
A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset.
Details
Root-cause analysis:
- The endpoint accepts an attacker-controlled
assetId. - Asset is resolved, and thumbnail HTML is returned.
- No explicit asset-view permission check is performed before preview generation.
Impact
Type:
- Missing authorization
- Unauthorized preview-link disclosure
Affected deployments:
- Craft sites with control panel users who have partial permissions and private assets.
Security consequence:
- A control panel user without asset-view permission can still obtain signed preview transform link data for private assets.
- This may increase private asset exposure risk depending on deployment and endpoint chaining.
Resources
https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27
🎯 Affected products2
- composer/craftcms/cms:>= 4.0.0-RC1, <= 4.17.7
- composer/craftcms/cms:>= 5.0.0-RC1, <= 5.9.13