CVE-2020-6164Sensitive Information Exposure in Silverstripe

CWE-200Sensitive Information Exposure3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.7%
top 27.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SilverstripeSilverstripe FrameworkSilverstripe CMS
Timeline
PublishedJul 15
Latest updateMay 24

Description

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Packagistsilverstripe/framework4.0.04.4.7+1
NVDsilverstripe/silverstripe4.0.04.4.7+2
Packagistsilverstripe/cms4.5.0

🔴Vulnerability Details

2
GHSA
Silverstripe CMS information disclosure2022-05-24
OSV
Silverstripe CMS information disclosure2022-05-24