A high-severity security flaw impacting the Craft content management system ( CMS ) has been by the U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) to its Known Exploited Vulnerabilities ( ) catalog, based on evidence of active exploitation.
The vulnerability in question is ( CVSS score: 8.1 ), which impacts Craft CMS versions 4 and 5. In versions 4. 13.8 and 5. 5. 8, the task maintainers addressed it in late December 2024.
The organization claimed that” Craft CMS has a code treatment risk that allows for remote code murder because vulnerable versions have compromised user security keys.”
The risk has an impact on the following type of the software:
- >, = 5.0.0-RC1, <, 5.5.5
- >, = 4.0.0-RC1, <, 4.13.8
Craft CMS noted in a GitHub advice that the security flaw affects all unpatched variations of Craft that have been compromised protection keys.
” If you can’t upgrade to a fixed type, then rotating your security code and ensuring its protection will help to alleviate the issue”, it noted.
It’s now not clear how the consumer safety locks were compromised, and in what context. To reduce the risk posed by the vulnerability, it’s recommended that Federal Civilian Executive Branch (FCEB ) agencies apply the necessary changes by March 13, 2025.