Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2020-6164 Information disclosure on /interactive URL path

Low (?)
Versions Affected:
silverstripe/framework: ^3.0, silverstripe/framework: ^4.0
Versions Fixed:
silverstripe/framework: 4.4.7, silverstripe/framework: 4.5.4, silverstripe/framework: 4.6.0
Release Date:

A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).

Base CVSS: 0.0


Reporter: Elliot Sawyer, Senior Silverstripe Developer, Catalyst