CVE-2020-26138
published 2021-06-08CVE-2020-26138: In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation.
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.34%
67.8th percentile
In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | framework | >= 3.0.0 < 4.7.4 | 4.7.4 |
| silverstripe | silverstripe | < 4.6.0 | 4.6.0 |
| silverstripe | silverstripe | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FormField with square brackets in field name skips validation
osv·2022-03-26
CVE-2020-26138 [MEDIUM] FormField with square brackets in field name skips validation
FormField with square brackets in field name skips validation
FileField with array notation skips validation
The FileField class is commonly used for file upload in custom code on a Silverstripe website. This field is designed to be used with a single file upload.
PHP allows for submitting multiple values by adding square brackets to the field name. When this is done to a FileField, it will be coerced into allowing multiple files by using this notation. This is not a supported feature, though nothing is done to prevent this.
In this scenario, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. If custom controller logic is used to process the file uploads, it might implicitly rely on validation to be provided by the F
GHSA
FormField with square brackets in field name skips validation
ghsa·2022-03-26
CVE-2020-26138 [MEDIUM] CWE-20 FormField with square brackets in field name skips validation
FormField with square brackets in field name skips validation
FileField with array notation skips validation
The FileField class is commonly used for file upload in custom code on a Silverstripe website. This field is designed to be used with a single file upload.
PHP allows for submitting multiple values by adding square brackets to the field name. When this is done to a FileField, it will be coerced into allowing multiple files by using this notation. This is not a supported feature, though nothing is done to prevent this.
In this scenario, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. If custom controller logic is used to process the file uploads, it might implicitly rely on validation to be provided by the F
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://www.silverstripe.org/download/security-releases/cve-2020-26138https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://www.silverstripe.org/download/security-releases/cve-2020-26138
2021-06-08
Published