GoogleOSV:GHSA-CX45-565Q-6QX8SilverStripe Subsite weakens file permissions
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
34.5%
The subsites module can weaken edit restrictions on some files and allow a malicious user to edit files they do not have edit rights to.
This only affects projects with the subsites module installed. Regression testing should focus on custom file logic.
Be advised that this is not a case of a user being able to edit a file in subsites they do not have access to. As a reminder, all separation of content achieved with the subsites module should be viewed as cosmetic and not appropriate for security-critical applications.
References
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/subsites/CVE-2022-42949.yaml
github.com/silverstripe/silverstripe-subsites
github.com/silverstripe/silverstripe-subsites/commit/73f3d15bfb90ba779dd5498fcc5ae4ab292d6272
nvd.nist.gov/vuln/detail/CVE-2022-42949
www.silverstripe.org/download/security-releases
www.silverstripe.org/download/security-releases/cve-2022-42949
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
34.5%