A high-severity vulnerability exists within Statamic Core software, identified as CVE-2020-9322. This flaw allows an unauthenticated, remote attacker to potentially access and manipulate sensitive user data through a specific application endpoint. Successful exploitation could lead to unauthorized access, account takeovers, and significant data breaches, posing a critical risk to the organization.

The vulnerability exists in the /users API endpoint of Statamic Core. Due to improper access control, a remote, unauthenticated attacker can send a specially crafted request to this endpoint to retrieve sensitive user information. The high CVSS score of 8.8 indicates that the exploit is low in complexity and requires no user interaction, allowing an attacker to potentially enumerate users, extract data, and possibly perform unauthorized actions on user accounts.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have a severe impact on business operations, confidentiality, and integrity. Potential consequences include the breach of Personally Identifiable Information (PII) of users, leading to reputational damage and loss of customer trust. Furthermore, the organization could face regulatory penalties under data protection laws like GDPR or CCPA. If compromised accounts have administrative privileges, the attacker could gain further control over the application and underlying systems.

Immediate Action: Apply vendor security updates immediately to upgrade Statamic Core to version 2.0 or a later, patched version. After patching, review web server and application access logs for any suspicious activity or exploitation attempts targeting the /users endpoint that may have occurred prior to remediation.

Proactive Monitoring: Implement continuous monitoring of application logs, specifically looking for unusual or high-volume requests to the /users endpoint from untrusted IP addresses. Configure alerts for unauthorized account modifications, password resets, or privilege escalations that could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or rate-limit access to the /users endpoint from external, untrusted sources. If possible, restrict network access to this endpoint, allowing connections only from trusted internal IP addresses until the patch can be applied.

Public Exploit Available: True

Given the high severity (CVSS 8.8) and the confirmed availability of public exploit code, this vulnerability poses a critical and immediate risk. We strongly recommend that organizations prioritize the deployment of the vendor-supplied security patch across all affected systems without delay. Although this CVE is not currently listed on the CISA KEV list, its public nature and severe impact warrant urgent attention. If patching is delayed, the compensating controls outlined above must be implemented as a temporary, high-priority measure to reduce the attack surface.