Description
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Remediation
References
Related Vulnerabilities
WordPress Plugin Participants Database Multiple Vulnerabilities (1.7.5.3)
Pega Infinity Exposure of Resource to Wrong Sphere Vulnerability (CVE-2019-16387)
Moodle Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2025-3641)
WordPress Plugin Z-Vote 'zvote' Parameter SQL Injection (1.1)