A high-severity security flaw impacting the Craft content management system ( CMS ) has been by the U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) to its Known Exploited Vulnerabilities ( ) catalog, based on evidence of active exploitation.
The vulnerability in question is ( CVSS score: 8.1 ), which impacts Craft CMS versions 4 and 5. In types 4. 13.8 and 5. 5. 8, the job maintainers addressed it in late December 2024.
The organization claimed that” Craft CMS has a code shot risk that allows for remote code implementation because vulnerable versions have compromised user security keys.”
The following variation of the program is affected by the risk:
- >, = 5.0.0-RC1, <, 5.5.5
- >, = 4.0.0-RC1, <, 4.13.8
Craft CMS noted in a GitHub advice that any unpatched variations of Craft that have a undermined security key are affected by the security flaw.
” If you can’t upgrade to a fixed type, then rotating your security code and ensuring its protection will help to alleviate the issue”, it noted.
It’s now not clear how the consumer safety locks were compromised, and in what context. To reduce the risk posed by the risk, it’s recommended that Federal Civilian Executive Branch (FCEB ) agencies apply the necessary changes by March 13, 2025.