JetBrains announced today that it has released a security update for PhpStorm and all of its other IntelliJ-based IDEs due to a set of critical vulnerabilities:
The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.
The update issued today patches the critical vulnerabilities inside the underlying IntelliJ platform that powers nearly a dozen popular IDEs. Installing the update is as easy as selecting ‘Check for Updates’ inside the IDE. Alternatively, customers can download the most recent version from JetBrains.com and the security announcement includes links to download older versions.
Although the JetBrains security team is not aware of these vulnerabilities having been exploited, immediate update is recommended.