CVE-2019-16409 — Sensitive Information Exposure in Framework

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 46.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe Framework Silverstripe Symbiote Versionedfiles +1 more

Timeline

PublishedSep 26

Latest updateNov 12

Description

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruc…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Packagistsymbiote/silverstripe-versionedfiles2.0.3

▶NVDsymbiote/versionedfiles2.0.3

▶Packagistsilverstripe/framework4.0.0 — 4.3.5+1

▶NVDsilverstripe/silverstripe3.0.0 — 3.7.4

🔴Vulnerability Details

OSV

SilverStripe Versioned Files module Unpublished files are exposed publicly↗2019-11-12

▶

GHSA

SilverStripe Versioned Files module Unpublished files are exposed publicly↗2019-11-12

▶