LOW 3.5

GHSA-7mqq-4v55-88gh

Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors

상세

### Impact

The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it.

### Patches

This has been fixed in 5.74.0 and 6.20.3.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / statamic/cms

최초 영향 버전: 0 수정 버전: 5.74.0

수정 composer require statamic/cms:^5.74.0

Packagist / statamic/cms

최초 영향 버전: 6.0.0 수정 버전: 6.20.3

수정 composer require statamic/cms:^6.20.3

참고

https://github.com/statamic/cms/security/advisories/GHSA-7mqq-4v55-88gh [WEB]
https://github.com/statamic/cms [PACKAGE]