Impact
Craft CMS contains a missing authorization flaw in the assets/preview-thumb endpoint. A Control Panel user that lacks permission to view a private asset can invoke the endpoint with any asset identifier and obtain preview HTML that includes a signed fallback preview link for that private asset. The vulnerability therefore allows an attacker to discover the details of a private asset and potentially access it through the generated preview link, exposing confidential content without proper authorization.
Affected Systems
The issue touches Craft CMS (CNU 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13). These versions are affected; the fix is implemented in 4.17.8 and 5.9.14.
Risk and Exploitability
The flaw carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is not available and the vulnerability is not listed as a known exploited vulnerability by CISA. Attackers need to be authenticated as a Control Panel user but do not require any special rights beyond a standard user account. Once authenticated, the attacker can request a preview for any private asset, gaining access to its signed preview link. The risk is moderate because the attack requires a compromised or legitimate account with insufficient asset‑view permissions, but the impact is significant as it permits disclosure of private asset content.
OpenCVE Enrichment