Craft CMS Information Disclosure Vulnerability in AssetsController

A vulnerability in Craft CMS's AssetsController allows authenticated control panel users to access sensitive information about assets in volumes they do not have permission to view. This issue affects Craft CMS versions 5.0.0-RC1 prior to 5.9.18. The vulnerability arises because the actionShowInFolder method retrieves an asset by its ID and discloses its filename along with the complete folder hierarchy, including volume details, without verifying if the user has the necessary permissions on the asset's volume. As a result, any authenticated user can enumerate asset information by providing arbitrary asset IDs.

Impact

Exploitation of this vulnerability allows unauthorized users to access and enumerate asset filenames and folder structures in volumes they are not permitted to view. This could lead to further targeted attacks, such as exfiltrating private files, especially if the filenames and paths of confidential assets are known.

Remediation

Users can upgrade to Craft CMS version 5.9.18 or later to address this vulnerability.