{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/alchemy-cms--7.4.14/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Alchemy CMS (\u003e= 8.2.0, \u003c= 8.2.5)","Alchemy CMS (\u003e= 8.1.0, \u003c= 8.1.13)","Alchemy CMS (\u003e= 8.0.0.a, \u003c= 8.0.14)","Alchemy CMS (\u003c= 7.4.14)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","information-disclosure","cms","rails","ruby"],"_cs_type":"advisory","_cs_vendors":["AlchemyCMS"],"content_html":"\u003cp\u003eA critical information disclosure vulnerability exists within Alchemy CMS, affecting versions up to 8.2.5 (including 8.0.0.a-8.0.14, 8.1.0-8.1.13, and 8.2.0-8.2.5), and all 7.x versions up to 7.4.14. The flaw lies in the \u003ccode\u003eApi::PagesController#nested\u003c/code\u003e endpoint, specifically \u003ccode\u003eGET /api/pages/nested\u003c/code\u003e, which allows any unauthenticated user to retrieve the full internal page tree, including metadata for pages marked as restricted or unpublished. More critically, appending \u003ccode\u003e?elements=true\u003c/code\u003e to the request exposes the actual content of these sensitive pages, completely bypassing intended access controls. This vulnerability stems from a lack of authorization checks (\u003ccode\u003eauthorize!\u003c/code\u003e) and proper content scoping within the \u003ccode\u003enested\u003c/code\u003e action, contrasting with other API actions that correctly enforce these security measures. This can lead to the unauthorized exposure of confidential organizational data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification\u003c/strong\u003e: An attacker identifies a public-facing website running a vulnerable version of Alchemy CMS through various reconnaissance methods (e.g., banner grabbing, web application scanning, or examining publicly available information).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Information Gathering (Metadata)\u003c/strong\u003e: The attacker sends an unauthenticated \u003ccode\u003eGET\u003c/code\u003e request to the \u003ccode\u003e/api/pages/nested\u003c/code\u003e endpoint (e.g., \u003ccode\u003ecurl -s http://target.com/api/pages/nested\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery of Sensitive Pages\u003c/strong\u003e: The API response provides a JSON object containing the full page tree, including metadata for all pages. This response reveals which pages are marked as \u003ccode\u003e\u0026quot;restricted\u0026quot;:true\u003c/code\u003e or \u003ccode\u003e\u0026quot;public\u0026quot;:false\u003c/code\u003e, indicating content that should be hidden from anonymous users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTargeted Content Request\u003c/strong\u003e: Based on the identified sensitive page metadata, the attacker constructs a new \u003ccode\u003eGET\u003c/code\u003e request to the same \u003ccode\u003e/api/pages/nested\u003c/code\u003e endpoint, this time appending the \u003ccode\u003eelements=true\u003c/code\u003e parameter (e.g., \u003ccode\u003ecurl -s \u0026quot;http://target.com/api/pages/nested?elements=true\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration of Confidential Data\u003c/strong\u003e: The vulnerable Alchemy CMS application responds to this request by providing the full content (elements/ingredients) of the previously identified restricted and unpublished pages, including sensitive text like \u0026quot;TOPSECRET_RESTRICTED_BODY_proof123\u0026quot;, effectively bypassing all access control mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact and Analysis\u003c/strong\u003e: The attacker successfully obtains confidential information, intellectual property, or other sensitive data, which can then be used for competitive advantage, further system compromise, or to cause significant reputational and financial damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for complete and unauthenticated information disclosure of any content stored within Alchemy CMS that has been marked as restricted or unpublished. This could include sensitive business documents, intellectual property, draft communications, private user data, or internal plans. If exploited, organizations face severe consequences such as data breaches, regulatory non-compliance, reputational damage, and financial losses due to the exposure of proprietary or confidential information. The severity is highlighted by the observed ability to leak specific \u0026quot;TOPSECRET_RESTRICTED_BODY_proof123\u0026quot; content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-XXXX-YYYY\u003c/strong\u003e: Immediately upgrade your Alchemy CMS installation to a fixed version beyond 8.2.5 (e.g., 8.2.6 or later for the 8.x series) or 7.4.14 (for the 7.x series) to remediate the vulnerability described in the GHSA-mqq5-j7w8-2hgh advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Webserver Logging\u003c/strong\u003e: Ensure comprehensive logging is enabled for your web server (e.g., Apache, Nginx) to capture full HTTP request details, including \u003ccode\u003ecs-method\u003c/code\u003e, \u003ccode\u003ecs-uri-stem\u003c/code\u003e, and \u003ccode\u003ecs-uri-query\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rules\u003c/strong\u003e: Deploy the provided Sigma rules \u003ccode\u003eDetects Alchemy CMS /api/pages/nested metadata leak attempt\u003c/code\u003e and \u003ccode\u003eDetects Alchemy CMS /api/pages/nested sensitive content leak attempt\u003c/code\u003e to your SIEM solution and tune them for your environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Logs\u003c/strong\u003e: Proactively review historical web server logs for any past exploitation attempts matching the patterns identified in the Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T17:53:42Z","date_published":"2026-06-19T17:53:42Z","id":"https://feed.craftedsignal.io/briefs/2026-06-alchemycms-nested-api-leak/","summary":"An unauthenticated API endpoint, `GET /api/pages/nested`, in Alchemy CMS versions up to 8.2.5 (including all 8.x versions prior to a fix and all 7.x versions up to 7.4.14), fails to enforce authorization and scoping checks, allowing any anonymous user to retrieve the complete page tree, encompassing restricted and unpublished pages, and, with `?elements=true`, the full content of these sensitive pages, completely bypassing intended access controls and leading to unauthorized information disclosure.","title":"AlchemyCMS: Unauthenticated Nested Page API Leaks Restricted \u0026 Unpublished Content","url":"https://feed.craftedsignal.io/briefs/2026-06-alchemycms-nested-api-leak/"}],"language":"en","title":"CraftedSignal Threat Feed - Alchemy CMS (\u003c= 7.4.14)","version":"https://jsonfeed.org/version/1.1"}