Craft CMS Unauthenticated Access to Config Sync Actions Vulnerability

A vulnerability exists in Craft CMS versions 4.0.0-RC1 prior to 4.17.8 and 5.0.0-RC1 prior to 5.9.14, allowing guest users to access the Config Sync updater index. This access enables them to obtain signed data and execute state-changing Config Sync actions, such as 'regenerate-yaml' and 'apply-yaml-changes', without authentication. The issue arises because the 'ConfigSyncController' is publicly accessible for control panel requests, allowing unauthorized users to perform actions that should be restricted to trusted users.

Impact

Exploitation of this vulnerability allows unauthorized users to execute configuration sync operations, potentially leading to unauthorized changes in the application's configuration state and associated files. This could disrupt the application's normal operation and integrity.

Reproduction

To reproduce this vulnerability, first send a POST request as a guest user to the 'Config Sync' updater index. This will return a response containing signed updater state data. This data can then be extracted and reused in subsequent POST requests to 'regenerate-yaml' or 'apply-yaml-changes' actions, along with the necessary CSRF token. After observing the response, note any changes in the application's configuration files or state that result from the action.

Remediation

Users can upgrade to Craft CMS versions 4.17.8 or 5.9.14, where this vulnerability has been patched.