Lack of access control on upoaded files
Moderate severity
GitHub Reviewed
Published
Nov 12, 2019
to the GitHub Advisory Database
•
Updated Feb 5, 2024
Description
Reviewed
Nov 12, 2019
Published to the GitHub Advisory Database
Nov 12, 2019
Last updated
Feb 5, 2024
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
References