CVE-2019-12245: Information Exposure

September 25, 2019 (updated September 27, 2019)

SilverStripe has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

References

forum.silverstripe.org/c/releases
nvd.nist.gov/vuln/detail/CVE-2019-12245
www.silverstripe.org/download/security-releases/
www.silverstripe.org/download/security-releases/CVE-2019-12245

Detect and mitigate CVE-2019-12245 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →