Craft CMS Sprig Plugin Sensitive Data Exposure Vulnerability

A vulnerability in the Sprig Plugin for Craft CMS allows admin users and those with permission to access the Sprig Playground to inadvertently expose sensitive information such as the security key, credentials, and other configuration data. This issue, present in versions 2.0.0 prior to 2.15.2 and 3.0.0 prior to 3.15.2, could also be exploited to run the `hashData()` signing function. The vulnerability was mitigated in versions 2.15.2 and 3.15.2 by disabling access to the Sprig Playground when `devMode` is off, unless the `enablePlaygroundWhenDevModeDisabled` setting is explicitly enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized exposure of sensitive configuration data, including security keys and credentials.

Remediation

Users can update to Sprig Plugin versions 2.15.2 or 3.15.2 to address this vulnerability. After updating, the Sprig Playground will be disabled by default when `devMode` is off, unless the `enablePlaygroundWhenDevModeDisabled` setting is set to `true`.