GHSA-55PP-293F-3365
Vulnerability from github – Published: 2024-05-28 17:21 – Updated: 2024-05-28 17:21The userforms module allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is not predictable, certain actions taken by CMS authors could expose it. For example, submission notification emails contain a link to the file without authorisation checks.
In 3.0.0 this field is disabled by default, but re-enabled upon installation of the secure assets module. When this is installed, the field can once again be used within a form, and will automatically lock this folder to a secure list of users, which can then be configured further by an administrator.
Existing file upload fields will not be disabled, but will require re-enabling via config or installation of secure assets to become editable again.
If any upload field points or is pointed to a folder that is not secured, and the secure assets module is present, then that folder will have the secure permissions applied automatically.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/userforms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-28T17:21:00Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The [userforms module](https://github.com/silverstripe/silverstripe-userforms) allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is not predictable, certain actions taken by CMS authors could expose it. For example, submission notification emails contain a link to the file without authorisation checks.\n\nIn 3.0.0 this field is disabled by default, but re-enabled upon installation of the [secure assets module](https://github.com/silverstripe-labs/silverstripe-secureassets). When this is installed, the field can once again be used within a form, and will automatically lock this folder to a secure list of users, which can then be configured further by an administrator.\n\nExisting file upload fields will not be disabled, but will require re-enabling via config or installation of secure assets to become editable again.\n\nIf any upload field points or is pointed to a folder that is not secured, and the secure assets module is present, then that folder will have the secure permissions applied automatically.",
"id": "GHSA-55pp-293f-3365",
"modified": "2024-05-28T17:21:00Z",
"published": "2024-05-28T17:21:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/userforms/SS-2015-018-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-userforms"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "silverstripe/userforms file upload exposure on UserForms module"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.