Craft CMS CVE-2023-41892

Affected Craft CMS versions

• >= 4.0.0-RC1 - starts with Craft CMS 4, Craft 3 is not affected
• <= 4.4.14 - 4.4.15 and higher are not affected

Actions we have been taking

As your friendly Craft CMS web-hosting service, we have identified affected Apps by automatically scanning the deployed composer.json file and informed attached Accounts about the vulnerability by email.

Actions to be done by you

Dear web master, check your current version, and update your public Craft CMS 4 installation to at least version 4.4.15 if required. The higher the better. The most current version as of writing is 4.8. We recommend to update your local installation in your web development environment first and then deploy the latest version. Here is a guide on how to best do that.

In addition, as recommended, it's best to reset all the passwords of your Craft CMS users, refresh the security key, reset the database password, and reset all private details or secrets that might have been leaked.

Links

• https://nvd.nist.gov/vuln/detail/CVE-2023-41892
• https://github.com/advisories/GHSA-4w8r-3xrw-v25g