PT-2019-14665 · Silverstripe · Silverstripe+1

Published

2019-09-26

Updated

2021-07-21

CVE-2019-16409

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions SilverStripe Versioned Files module versions through 2.0.3 for SilverStripe 3.x

Description The issue allows unpublished versions of files to be publicly exposed if their URL can be guessed. This could be facilitated by understanding the source code of the Versioned Files module. It is noted that upgrading from SilverStripe 3.x to 4.x does not automatically remove or alert users to the potential insecurity of existing versioned files, as versioning is built into the 4.x release.

Recommendations For SilverStripe Versioned Files module versions through 2.0.3, consider removing or securing unpublished file versions to prevent public exposure. As a temporary workaround, restrict access to the Versioned Files module until a more permanent solution can be applied.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2019-16409

GHSA-XM6J-X342-GWQ9

Affected Products

Silverstripe

Silverstripe Versioned Files Module

PT-2019-14665 · Silverstripe · Silverstripe+1

CVE-2019-16409

Weakness Enumeration

Related Identifiers

Affected Products

References · 7