CVE-2019-16409

Name of the Vulnerable Software and Affected Versions SilverStripe Versioned Files module versions through 2.0.3 for SilverStripe 3.x

Description The issue allows unpublished versions of files to be publicly exposed if their URL can be guessed. This could be facilitated by understanding the source code of the Versioned Files module. It is noted that upgrading from SilverStripe 3.x to 4.x does not automatically remove or alert users to the potential insecurity of existing versioned files, as versioning is built into the 4.x release.

Recommendations For SilverStripe Versioned Files module versions through 2.0.3, consider removing or securing unpublished file versions to prevent public exposure. As a temporary workaround, restrict access to the Versioned Files module until a more permanent solution can be applied.