Statamic account takeover via XSS and password reset link
Description
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Statamic CMS allows upload of HTML files crafted as JPG, leading to XSS that can be leveraged to steal password reset tokens and achieve account takeover.
Statamic CMS fails to validate MIME types for uploaded files, allowing HTML files disguised with .jpg extensions to be uploaded. This results in stored cross-site scripting (XSS) vulnerabilities in asset fields and the asset browser, both in front-end forms and the control panel [1][3].
To exploit the XSS, an attacker must craft a malicious HTML file that appears as a JPG. When an authorized user interacts with the uploaded file, the XSS executes. If the XSS is crafted in a specific way, it can leverage the "copy password reset link" feature to extract a user's password reset token [3].
Successful exploitation enables an attacker to use the stolen password reset token to reset a user's password, thereby gaining unauthorized access to their account [1][3].
The vulnerability is patched in Statamic versions 4.46.0 and 3.4.17. The patch fixes the XSS issue and disables the "copy password reset link" functionality to prevent token theft [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 4.00, < 4.46.0 | 4.46.0 |
statamic/cmsPackagist | < 3.4.17 | 3.4.17 |
Affected products
2- statamic/cmsv5Range: < 3.4.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vqxq-hvxw-9mv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24570ghsaADVISORY
- packetstormsecurity.com/files/177133/Statamic-CMS-Cross-Site-Scripting.htmlghsaWEB
- seclists.org/fulldisclosure/2024/Feb/17ghsaWEB
- github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.