Craft CMS Azure Blob Storage Plugin Unauthenticated Information Disclosure Vulnerability
Vulnerability
A critical information disclosure vulnerability has been identified in the Azure Blob Storage for Craft CMS plugin, specifically in versions 2.0.0-beta.1 through 2.1.0. The issue allows unauthenticated users to access a list of buckets that the plugin can interact with. This vulnerability arises because the 'DefaultController->actionLoadContainerData()' endpoint permits unauthenticated users with a valid CSRF token to view accessible buckets. Additionally, Azure's error messages can inadvertently expose sensitive data, creating further potential attack vectors.
Impact
Exploitation of this vulnerability could lead to unauthorized access to information about Azure Blob Storage buckets, including potentially sensitive data, depending on the specific contents of those buckets.
Remediation
Users are advised to update the Azure Blob Storage for Craft CMS plugin to version 2.1.1.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.