TinaCMS Path Traversal Vulnerability Combined with CORS Misconfiguration Allowing Cross-Origin File Exfiltration

A vulnerability in the TinaCMS CLI development server prior to version 2.1.8 allows for cross-origin file exfiltration. This issue arises from a permissive Cross-Origin Resource Sharing (CORS) configuration that accepts requests from any origin, combined with a path traversal vulnerability. When both vulnerabilities are exploited, a remote attacker can manipulate a victim's browser to access the local filesystem of a developer running the TinaCMS dev server. The attacker can enumerate files, read sensitive information, and write or delete arbitrary files on the developer's machine.

Impact

Exploitation of this vulnerability allows attackers to silently access and exfiltrate files from the victim's filesystem to an external server. This could include sensitive information such as environment variables, Git configuration files, SSH keys, cloud credentials, and database configuration files. Additionally, attackers could overwrite project source files or delete files via the TinaCMS media management endpoints.

Reproduction

To reproduce this vulnerability, start the TinaCMS development server by running 'tinacms dev'. Once the server is running, visit an attacker-controlled website that hosts a malicious script. This script will exploit the CORS vulnerability and path traversal to access files from the TinaCMS dev server, which is running on localhost:4001. The accessed files can then be sent to an external server controlled by the attacker.

Remediation

Users should update TinaCMS to version 2.1.8 or later, where this vulnerability has been fixed.