GHSA-592m-4533-rxq9

Source

https://github.com/advisories/GHSA-592m-4533-rxq9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-592m-4533-rxq9/GHSA-592m-4533-rxq9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-592m-4533-rxq9

Aliases

Published

2022-05-24T17:15:19Z

Modified

2024-04-25T21:26:37.612295Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

SilverStripe Folders migrated from 3.x may be unsafe to upload to

Details

In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x.

Database specific

{
    "nvd_published_at": "2020-04-15T21:15:00Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T21:06:35Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.6

Affected versions

4.*

4.0.0

4.0.1-rc1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.1.0-rc1

4.1.0-rc2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.2.0-beta1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0-rc1

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

Packagist / silverstripe/userforms

Package

Name: silverstripe/userforms
Purl: pkg:composer/silverstripe/userforms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.4.2

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.3.3

5.4.0

5.4.1

Packagist / silverstripe/assets

Package

Name: silverstripe/assets
Purl: pkg:composer/silverstripe/assets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.4.7

Affected versions

1.*

1.0.0

1.0.1-rc1

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0-rc1

1.1.0-rc2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0-beta1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.0-rc1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.4.0-rc1

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

Packagist / silverstripe/assets

Package

Name: silverstripe/assets
Purl: pkg:composer/silverstripe/assets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.2

Affected versions

1.*

1.5.0

1.5.1