Craft CMS Privilege Escalation Vulnerability in UsersController Impersonation Action

A privilege escalation vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.6 and 5.0.0-RC1 prior to 5.9.12. The issue allows low-privilege users, or unauthenticated users with a shared URL, to gain admin rights by exploiting the UsersController's actionImpersonateWithToken. The vulnerability arises because the impersonation action does not properly validate tokens, allowing unauthorized access to admin privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, granting admin rights to low-privilege or unauthenticated users.

Reproduction

To reproduce this vulnerability, first obtain a valid preview token by creating a blog entry in Craft CMS and clicking the 'Preview' button. This token can be found in the iframe source URL. Once the token is obtained, append it to a request to the impersonation endpoint, along with the userId parameter set to '1', which typically corresponds to the admin user. If successful, the admin dashboard will be accessible without authentication.

Remediation

Users should update Craft CMS to version 4.17.6 or 5.9.12.