Vulnerability Details : CVE-2020-9280
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x.
Products affected by CVE-2020-9280
- cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-9280
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-9280
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-9280
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-9280
-
https://www.silverstripe.org/download/security-releases/
Security Releases » SilverStripeVendor Advisory
-
https://forum.silverstripe.org/c/releases
Latest Releases topics - Silverstripe ForumVendor Advisory
-
https://www.silverstripe.org/download/security-releases/cve-2020-9280
CVE-2020-9280 Folders migrated from 3.x may be unsafe to upload to » SilverStripeVendor Advisory
Jump to