CVE-2019-12245

MEDIUM5.3EPSS 0.26%

Lack of access control on upoaded files

發布日:2019/11/12修改日:2024/2/16

描述

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

受影響套件(2)

Packagist/silverstripe/assets>= 1.0.0, < 1.3.5
Packagist/silverstripe/frameworkfrom 0, < 3.6.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-12245
WEBhttps://forum.silverstripe.org/c/releases
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2019-12245.yaml
WEBhttps://www.silverstripe.org/download/security-releases
WEBhttps://www.silverstripe.org/download/security-releases/cve-2019-12245
WEBhttps://www.silverstripe.org/download/security-releases/CVE-2019-12245