Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2019-16409 secureassets and versionedfiles modules can expose versions of protected files

Severity:
Medium (?)
Identifier:
CVE-2019-16409
Versions Affected:
^4.0
Versions Fixed:
4.3.5, 4.4.4
Release Date:
2019-09-24

Users who migrated from a 3.x site that used the versionedfiles module will have its _versions folders left as artefacts in their public filesystems, leaving all the unpublished versions of old files publicly accessible under a guessable URL. This module was superseded by the file versioning functionality provided by the core 4.x recipe, meaning these _versions folders have no ongoing functional utility and should be deleted or blocked from web requests.

Base CVSS Score: 5.9

CWP CVSS Score: 5.9

Thanks to Charlie Bergthaler and Jakub Dolba (SilverStripe Ltd) for reporting this issue.