Craft CMS Cross-Site Request Forgery Vulnerability in Preview Token Endpoint

A cross-site request forgery (CSRF) vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.3 and 5.0.0-RC1 prior to 5.9.6. The issue resides in the preview token endpoint, which accepts an attacker-supplied preview token. The endpoint does not require POST requests or enforce CSRF token validation, allowing an attacker to manipulate a logged-in victim editor into generating a preview token of their choice. This token can then be used, without authentication, to access previewed or unpublished content within the victim's authorized preview scope.

Impact

Exploitation of this vulnerability allows for CSRF-based generation of preview tokens, unauthorized access to draft or provisional content through token replay, and stealthy one-click exploitation against logged-in editors or admins.

Reproduction

To reproduce this vulnerability, an attacker must first prepare a 32-character preview token. They can then send a link to a logged-in victim editor that includes this token, along with other necessary parameters such as the element type, canonical ID, and site ID. If the victim is authorized to preview the specified element, Craft CMS will create the token as requested. The attacker can then access the preview content using the generated token, which will bypass authentication and reveal unpublished or draft content.

Remediation

Users can update to Craft CMS versions 4.17.4 or 5.9.7 to address this vulnerability.