Merge branch 'advisory/GHSA-5pgf-h923-m958' into 4.x

brandonkelly · brandonkelly · commit 7290d91639e5 · 2026-02-25T11:24:20.000-08:00
# Conflicts:
#	CHANGELOG.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,7 @@
 
 - The `PDO::MYSQL_ATTR_MULTI_STATEMENTS` attribute is no longer set by default for database connections. ([#18474](https://github.com/craftcms/cms/issues/18474))
 - Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) access control vulnerability. (GHSA-6mrr-q3pj-h53w)
-- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-3pvf-vxrv-hh9c)
+- Fixed [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)
 
 ## 4.17.7 - 2026-02-24
 
diff --git a/src/controllers/AssetsController.php b/src/controllers/AssetsController.php
@@ -1149,6 +1149,7 @@ public function actionGenerateTransform(?int $transformId = null): Response
                 throw new ServerErrorHttpException('Image transform cannot be created.', previous: $e);
             }
         } else {
+            $this->requirePermission('accessCp');
             $assetId = $this->request->getRequiredBodyParam('assetId');
             $handle = $this->request->getRequiredBodyParam('handle');
             if (!is_string($handle)) {

Original file line number	Diff line number	Diff line change
`@@ -1149,6 +1149,7 @@ public function actionGenerateTransform(?int $transformId = null): Response`
`1149`	`1149`	`throw new ServerErrorHttpException('Image transform cannot be created.', previous: $e);`
`1150`	`1150`	`}`
`1151`	`1151`	`} else {`
	`1152`	`+ $this->requirePermission('accessCp');`
`1152`	`1153`	`$assetId = $this->request->getRequiredBodyParam('assetId');`
`1153`	`1154`	`$handle = $this->request->getRequiredBodyParam('handle');`
`1154`	`1155`	`if (!is_string($handle)) {`