Script Execution Vulnerability in Silverstripe CMS by Silverstripe
CVE-2020-9309

8.8HIGH

Key Information:

Vendor: Silverstripe
Status: Recipe; Mimevalidator
Vendor: CVE Published:; 15 July 2020

🔔 Create Silverstripe Vulnerability Alert

What is CVE-2020-9309?

Silverstripe CMS versions prior to 4.5 can be exploited through a script execution vulnerability that arises from the mishandling of uploaded files. Malicious actors could potentially upload files with executable content masquerading as safe file types (such as HTML code in a TXT file). When stored as protected or draft files, the inadequate MIME detection in browsers could result in the execution of these malicious files. Although uploads are restricted to authorized users by default, this feature can be altered through custom logic or via additional modules, such as silverstripe/userforms. To mitigate this vulnerability, it is recommended that sites utilizing the silverstripe/mimevalidator module configure MIME whitelists rather than relying solely on extension whitelists. Sites on the Common Web Platform (CWP) that employ this module by default are not susceptible.

References

https://www.silverstripe.org/download/security-releases/C...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2020
Vulnerability Reserved
Feb 20, 2020

CVE-2020-9309 Data

JSON