Craft CMS GraphQL Directive @parseRefs Improper Authorization Vulnerability Allowing Sensitive Data Access

A vulnerability exists in Craft CMS versions 4.0.0-RC1 prior to 4.17.0-beta.1 and 5.0.0-RC1 prior to 5.9.0-beta.1. The issue arises in the GraphQL directive @parseRefs, which is meant to parse internal reference tags. This directive can be exploited by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element within the CMS. The vulnerability stems from a lack of authorization checks in the Elements::parseRefs implementation, allowing unauthorized data access. Exploitation can lead to the unauthorized reading of data, including personal information and custom field data, by referencing specific user or element attributes.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive user data, such as email addresses and usernames, as well as custom field information from Craft CMS elements. The vulnerability also enables unauthenticated guests to access this data when the Public Schema is active.

Reproduction

To reproduce this vulnerability, create a Craft CMS entry with a title that includes a reference tag payload, such as '{user:1:username}' or '{user:1:email}'. Ensure that the Public Schema is enabled and that 'Query for elements in the Site' and 'News' section queries are checked. Then, send a GraphQL request to retrieve the entry title, which will include the parsed reference data.

Remediation

Users can update to Craft CMS versions 4.17.0-beta.1 or 5.9.0-beta.1, where this vulnerability has been fixed.