The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default.
It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390…
security-advisories@github.com
https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3…
security-advisories@github.com
https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42…
security-advisories@github.com