CVE-2022-23409: Duplicate Advisory: Path Traversal in the Logs plugin for Craft CMS

February 1, 2022 (updated January 23, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-fp63-499m-hq6m. This link is maintained to preserve external references.

Original Description

The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.

References

github.com/advisories/GHSA-9chx-2vqw-8vq5
github.com/ethercreative/logs
github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
nvd.nist.gov/vuln/detail/CVE-2022-23409
plugins.craftcms.com/logs
sec-consult.com/vulnerability-lab

Code Behaviors & Features

Detect and mitigate CVE-2022-23409 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →