Craft CMS Author Spoofing Vulnerability via Mass Assignment

A vulnerability in Craft CMS versions prior to 4.17.0-beta.1 and 5.9.0-beta.1 allows for unauthorized attribution of entries to users, including administrators. This is achieved through mass assignment of the authorId attribute. Users with 'Create Entries' permission can manipulate the authorIds parameter in POST requests, bypassing backend authorization checks. The vulnerability could be exploited to create entries that falsely appear to be authored by higher-privileged users, potentially misusing their trust or authority.

Impact

Exploitation of this vulnerability allows users to create entries that are attributed to administrators or other trusted individuals, effectively bypassing normal review processes and potentially leading to the publication of inappropriate or harmful content under false pretenses.

Reproduction

To reproduce this vulnerability, log in as a user with 'Create Entries' permission. Navigate to the 'Entries' section and start a new entry. Intercept the request using a proxy tool like Burp Suite. Add the authorIds parameter with the ID of a victim user, such as an admin. Forward the request and then check the entries as the victim user to see the spoofed authorship.

Remediation

Users can update to Craft CMS versions 4.17.0-beta.1 or 5.9.0-beta.1, where this vulnerability has been fixed.