php · craftcms/cmsCritical
Craft CMS SSRF and Arbitrary JS Injection via /actions/app/resource-js
Craft CMS is vulnerable to SSRF and Arbitrary JavaScript Injection via the /actions/app/resource-js endpoint due to default permissive trustedHosts configuratio
What changed
Craft CMS is vulnerable to SSRF and Arbitrary JavaScript Injection via the /actions/app/resource-js endpoint due to default permissive trustedHosts configuration and insecure HTTP client behavior.
Who it affects
All Craft CMS installations with default trustedHosts configuration (['any']) and assetManager.cacheSourcePaths set to false, especially those behind a caching layer.
What to do today
Update trustedHosts configuration to restrict allowed hosts and set assetManager.cacheSourcePaths to true. Alternatively, apply the vendor patch if available.
The trail
Collected→
Audited→
Written→
Published