Statamic CMS Users Beware of XSS Vulnerability

CVECVE-2024-24570
CVSScvssV3_1: 8.2
SourceCVE-2024-24570

Statamic is a popular Laravel and Git powered content management system (CMS) that was found to have a cross-site scripting (XSS) vulnerability. Hackers could craft HTML files to look like image files and upload them to Statamic sites. This would allow malicious scripts to run on sites using affected versions of Statamic.

The vulnerability was present in the file upload forms on the front-end and admin areas without proper file type validation. If exploited, hackers could steal user cookies and passwords or redirect users to malicious sites. Even admins could be impacted if a user fell for a crafted XSS attack on a password reset page.

Luckily, the developers have released patches in versions 4.46.0 and 3.4.17 to fix the XSS issue and disable the vulnerable password reset functionality. All Statamic users are advised to update immediately. You should also be cautious of any unexpected image files uploaded to your site.

To stay protected, always keep your software updated, use strong and unique passwords, and monitor your sites for suspicious activity. Practice web security basics like input sanitization to prevent exploits. Staying on top of patches is one of the best ways to avoid falling victim to vulnerabilities like this one in the future.

References