Description
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.silverstripe.org/download/security-releases/
Vendor Advisory x_refsource_misc
https://forum.silverstripe.org/c/releases
Vendor Advisory x_refsource_confirm
https://www.silverstripe.org/download/security-releases/cve-2020-9280
Scores
CVSS v3
7.5
EPSS
0.0039
EPSS Percentile
59.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-434
Status
published
Products (4)
silverstripe/assets
1.0.0 - 1.4.7Packagist
silverstripe/framework
4.0.0 - 4.4.6Packagist
silverstripe/silverstripe
4.0.0 - 4.5.0
silverstripe/userforms
5.0.0 - 5.4.2Packagist
Published
Apr 15, 2020
Tracked Since
Feb 18, 2026