See Recorded Future’s Threat Intelligence Solutions in Action

See our Threat Intelligence Solutions in Action

Reduce risk and mitigate cyber attacks, no matter your IT & security stack, maturity journey, or industry

Book a free demo

View Solutions to Reduce Risk

See Recorded Future’s Intelligence in Action

Reduce operational risk through timely, precise, and actionable intelligence.

Book a free demo

Intelligence Cloud Overview

View Services & Support Overview

View Research Overview

CVE-2024-24570

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Feb 1, 2024

Updated: Feb 14, 2024

CWE ID 79

Summary

CVE-2024-24570 is a vulnerability affecting Statamic, a Laravel and Git-powered CMS. Maliciously crafted files disguised as JPG images can be uploaded via front-end forms with unvalidated asset fields, as well as in the control panel and asset browser. This leads to Cross-Site Scripting (XSS) attacks. If the XSS is executed in a specific manner, attackers can exploit the "copy password reset link" feature to obtain a user's password reset token and gain unauthorized access to their account. The vulnerability is addressed in versions 4.46.0 and 3.4.17, with asset fields mime type validation added, and the copy password reset link functionality being disabled.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Statamic

Affected Vendors

Statamic

Advisories, Assessments, and Mitigations

Back to Vulnerability Database