GHSA-vcg6-8fxc-x5cq

Suggest an improvement
Source
https://github.com/advisories/GHSA-vcg6-8fxc-x5cq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vcg6-8fxc-x5cq/GHSA-vcg6-8fxc-x5cq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vcg6-8fxc-x5cq
Published
2024-05-27T23:35:14Z
Modified
2024-12-02T05:41:01.837911Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
silverstripe/framework allows upload of dangerous file types
Details

Some potentially dangerous file types exist in File.allowedextensions which could allow a malicious CMS user to upload files that then get executed in the security context of the website. We have removed the ability to upload .css, .js, .potm, .dotm, .xltm and .jar files in the default configuration. Since allowedextensions are synced to webserver configuration (in assets/.htaccess) automatically, this will also deny access to any existing uploads with these extensions.

Review our security guidelines for the Common Web Platform and the File Security guide for SilverStripe 4 to find out how to add or remove extensions.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T23:35:14Z"
}
References

Affected packages

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.6.5-rc1
Fixed
3.6.6

Affected versions

3.*

3.6.5
3.6.6-rc1

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.3-rc1
Fixed
4.0.4

Affected versions

4.*

4.0.3

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0-rc1
Fixed
4.1.1

Affected versions

4.*

4.1.0-rc1
4.1.0-rc2
4.1.0