CVE-2019-12245

Incorrect Permission Assignment for Critical Resource in packagist/silverstripe/assets

Identifiers

GHSA-jvx5-rm6q-gx7p, CVE-2019-12245

Package Slug

packagist/silverstripe/assets

Vulnerability

Incorrect Permission Assignment for Critical Resource

Description

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

Affected Versions

All versions starting from 1.0.0 before 1.3.5, all versions starting from 1.4.0 before 1.4.4

Solution

Upgrade to versions 1.3.5, 1.4.4 or above.

Last Modified

2024-02-05

source