CVE-2019-14273 Broken Access control on files
- Low (?)
- Versions Affected:
- Versions Fixed:
- 4.3.5, 4.4.4
- Release Date:
Unauthenticated users can access files which with restricted view permissions when embedded in content. This does not affect draft files, or files which aren't embedded in content.
In SilverStripe 4.x and CWP 2.x, files have a draft stage, and can be published. Before publication, they are only accessible to CMS users with access to view draft content (as well as administrators). Separately, published files can be placed in protected folders, with view and edit permissions restricted by certain CMS user groups only ("protected files").
Files can be embedded into other content managed through the CMS, as images or links. Publishing this content will automatically publish these embedded files. If these files are protected (viewable by certain CMS user groups), direct access to the file URL will be denied even for if the file is published. But when accessing the file through linked in the published content, access will be granted without further permission checks.
Base CVSS Score: 3.5
CWP CVSS Score: 3.5
Thanks to Normann Lou for reporting this issue.
2020-04-15 update: Migration task now available
The Silverstripe CMS 4.4.6/4.5.2 release include some additional remedial work related to this vulnerability. A file migration task has been created to retroactively protect files exposed by this vulnerability.
Read the Silverstripe CMS 4.4.6 change log for further details.