Information Exposure Affecting silverstripe/framework package, versions <4.4.6 >=4.5.0, <4.5.3
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SILVERSTRIPEFRAMEWORK-565483
- published 15 Apr 2020
- disclosed 15 Apr 2020
- credit Ingo Schommer
Introduced: 15 Apr 2020
CVE-2020-9280 Open this link in a new tabHow to fix?
Upgrade silverstripe/framework
to version 4.4.6, 4.5.3 or higher.
Overview
silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.
Affected versions of this package are vulnerable to Information Exposure. Files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. Uploads performed via the CMS UI are not affected. This is a security issue because the default "/Uploads" folder is publicly accessible by default, which means unauthorised parties may access the uploaded files via HTTP by guessing the file name.