CVE-2019-14272 XSS in file titles managed through the CMS
- Medium (?)
- Versions Affected:
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
SilverStripe allows XSS by authenicated users through editing file titles through the CMS. This can lead to privilege escalation by malicious authenticated users with otherwise more limited access.
The CMS generally allows file upload through the CMS for authenticated users (through rich text content editing, or the "assets" section). It is common to add custom file uploads to the CMS UI for authenticated users as well. In some cases, file upload is allowed by unauthenticated users on the website itself (e.g. as attachments through the popular "userforms" module).
Files have titles which are different from their filenames. By default, these titles can only be edited in the CMS. When files are uploaded by unauthenticated users, it is common practice to derive the file title from the sanitised file name, which is not vulnerable to the same XSS flaw.
CWP CVSS Score: 4.9
Thanks to Bot Kotatu for reporting