VDB
KO
MEDIUM

GHSA-qh45-9g5p-m2v4

Craft CMS: Unauthorized Deletion of Source Assets During File Replacement

Details

We have identified an authorization issue in Craft CMS `AssetsController::actionReplaceFile` that can delete a source asset without source delete permission by supplying both `assetId` and `sourceAssetId`.

### Description

Craft CMS’s `craft\\controllers\\AssetsController::actionReplaceFile()` supports replacing a target asset file using another existing asset as the source. The action loads:

- `$assetToReplace` from `assetId` - `$sourceAsset` from `sourceAssetId`

It then enforces replace permissions using `($assetToReplace ?: $sourceAsset)`. When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume.

```php $this->requireVolumePermissionByAsset('replaceFiles', $assetToReplace ?: $sourceAsset); $this->requirePeerVolumePermissionByAsset('replacePeerFiles', $assetToReplace ?: $sourceAsset); ```

[*src/controllers/AssetsController.php:L433-L434*](https://github.com/craftcms/cms/blob/5.x/src/controllers/AssetsController.php#L433-L434)

In the branch where both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no check for `deleteAssets:<sourceVolumeUid>` or `deletePeerAssets:<sourceVolumeUid>` for the source asset before deletion.

```php $assets->replaceAssetFile($assetToReplace, $tempPath, $assetToReplace->getFilename(), $sourceAsset->getMimeType()); Craft::$app->getElements()->deleteElement($sourceAsset); ```

[*src/controllers/AssetsController.php:L462-L463*](https://github.com/craftcms/cms/blob/5.x/src/controllers/AssetsController.php#L462-L463)

### Impact

An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a `sourceAssetId`. This can lead to unauthorized asset deletion, broken content references, and data loss.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / craftcms/cms
Introduced in: 5.0.0-RC1 Fixed in: 5.9.21
Fix composer require craftcms/cms:^5.9.21
Packagist / craftcms/cms
Introduced in: 4.0.0-RC1 Fixed in: 4.17.14
Fix composer require craftcms/cms:^4.17.14

References