High severityNVD Advisory· Published Jul 9, 2021· Updated Aug 3, 2024

Files or Directories Accessible to External Parties in ether/logs

CVE-2021-32752

Description

Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. A vulnerability was found in versions prior to 3.0.4 that allowed authenticated admin users to access any file on the server. The vulnerability has been fixed in version 3.0.4. As a workaround, one may disable the plugin if untrustworthy sources have admin access.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ether/logsPackagist	< 3.0.4	3.0.4

Affected products

Ethercreative/Logsv5
Range: < 3.0.4

Patches

eb225cc78b11

Fix security vulnerability

https://github.com/ethercreative/logsTamJul 9, 2021via ghsa

commit

4 files changed · +21 −9

CHANGELOG.md+4 −0 modified

@@ -1,3 +1,7 @@
+## 3.0.4 - 2021-07-09 [CRITICAL]
+### Fixed
+- Fix security vulnerability
+
 ## 3.0.3 - 2019-11-25
 ### Fixed
 - Fix error when first file is not `*.log` (via [@sebschaefer](https://github.com/sebschaefer))

composer.json+1 −1 modified

@@ -1,7 +1,7 @@
 {
   "name": "ether/logs",
   "description": "Access logs from the CP",
-  "version": "3.0.3",
+  "version": "3.0.4",
   "type": "craft-plugin",
   "minimum-stability": "dev",
   "require": {

src/Controller.php+9 −3 modified

@@ -2,14 +2,20 @@
 
 namespace ether\logs;
 
+use Craft;
+
 class Controller extends \craft\web\Controller
 {
 
 	public function actionStream ()
 	{
-		$logsDir = \Craft::getAlias('@storage/logs');
-		$logFile = \Craft::$app->request->getParam('log');
-		$currentLog = \Craft::$app->request->get('log', $logFile);
+		$logsDir = Craft::getAlias('@storage/logs');
+		$logFile = Craft::$app->request->getParam('log');
+		$currentLog = basename(Craft::$app->request->get('log', $logFile));
+
+		if (strpos($currentLog, '.log') === false)
+			return '<p>You can only access <code>.log</code> files!</p>';
+
 		$log = file_get_contents($logsDir . '/' . $currentLog);
 
 		exit($log);

src/templates/view.twig+7 −5 modified

@@ -1,9 +1,11 @@
 <form>
-	<select id="__logSwitch">
-		{% for file in logFiles %}
-			<option{{ file == currentLog ? ' selected' }}>{{ file }}</option>
-		{% endfor %}
-	</select>
+	<label class="select">
+		<select id="__logSwitch">
+			{% for file in logFiles %}
+				<option{{ file == currentLog ? ' selected' }}>{{ file }}</option>
+			{% endfor %}
+		</select>
+	</label>
 </form>
 
 <hr style="margin-bottom:0">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-fp63-499m-hq6mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-32752ghsaADVISORY
github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4ghsaWEB
github.com/ethercreative/logs/releases/tag/3.0.4ghsax_refsource_MISCWEB
github.com/ethercreative/logs/security/advisories/GHSA-fp63-499m-hq6mghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000