Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2020-9309 Script execution on protected files with MIME spoofing content

Severity:
Medium (?)
Identifier:
CVE-2020-9309
Versions Affected:
silverstripe/recipe-core: ^4.0.0
Versions Fixed:
silverstripe/recipe-core: 4.6.0 or silverstripe/mimetype-validator: 2.0.0
Release Date:
2020-07-13

Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms.

Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected.

Sites upgrading to silverstripe/recipe-core 4.6.0 will automatically be protected, as silverstripe/mimevalidator is now a core dependency. Sites using an older version of silverstripe/recipe-core need to manually install and configure silverstripe/mimevalidator.

Read the changelog for your targeted release for more information on the best course of action:

Base CVSS: 4.6

CWP CVSS: 0.0 (CWP customers are unaffected by this vulnerability.)

Reporter: Maxime Rainville, Senior Open-Source Developer, Silverstripe Ltd

Addendum: silverstripe/userforms 5.6.0 added an explicit requirement on silverstripe/mimevalidator for the file upload field as a further security enhancement. However, this fix was not properly merged up in the development branches, so silverstripe/userforms 5.6.1. 5.6.2 and 5.7.0 erroneously removed the new mimevalidator package. silverstripe/userforms 5.6.3 and 5.7.1 have been tagged to reintroduce the mimevalidator package and remedy this issue.