CVE-2025-66301

Description

### Summary Due to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission. ### Details Due to improper authorization checks when modifying critical fields on a POST request to `/admin/pages/{page_name}`, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the `data[_json][header][form]` which is the YAML frontmatter which includes the `process` section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. ### PoC - Have Admin and Form plugins installed - Connect to panel as admin, create user and give him permission for pages all - Now connect as that user and notice you cant edit any process field in the panel - Change anything in the content of the form and save - Intercept the request: ![image](https://github.com/user-attachments/assets/a66767d9-648e-45b5-9031-4a15bee3072a) - Now modify the field `data[_json][header][form] with the following payload URL-encoded not like this: ``` {"name":"ssti-test 2","fields":{"name":{"type":"text","label":"Name","required":true}},"buttons":{"submit":{"type":"submit","value":"Submit"}},"process":[{"message":"{{ evaluate_twig(form.value('name')) }}"}]} ``` - Change the field and forward it: ![image](https://github.com/user-attachments/assets/dd5f95d7-c61f-4fc0-9e9a-e67825f20aea) Request goes through and changes have been made to the form. ![image](https://github.com/user-attachments/assets/42a77e10-571b-43a2-8410-14d82dba28e5) ### Impact - Attacker can modify submission logic of the form which leads to changing redirect value, email sending, changing template, breaking out of the Twig sandbox potentially executing code... ### Fix recommendation - Implement proper authorization checks to such requests especially when it contains fields user shouldn't be able to modify based on his role.

How to fix CVE-2025-66301

To remediate CVE-2025-66301, upgrade the affected package to a fixed version below.

—upgrade to 1.8.0-beta.27 or later

Is CVE-2025-66301 being exploited?

Moderate — EPSS is 29.1%. Track this CVE but it's not at the top of the prioritisation list.

Description

How to fix CVE-2025-66301

Is CVE-2025-66301 being exploited?

Affected packages (1)

CVSS scores

References (3)