Miggo Logo

CVE-2019-14273: Broken access control on files

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.55844%
Published
7/15/2020
Updated
2/1/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/frameworkcomposer>= 4.0.0, < 4.3.54.3.5
silverstripe/frameworkcomposer>= 4.4.0, < 4.4.44.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing access control checks when serving files embedded in published content. File::getURL() likely provided direct access URLs without considering embedded context permissions, while AssetStore::getAsStream() served content without re-validating permissions for the current request context. This allowed protected files to be accessed through published content links despite folder protection settings. The migration task mentioned in SilverStripe's advisory suggests changes to URL generation and access validation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Silv*rStrip* *ss*ts *.*, t**r* is *rok*n ****ss *ontrol on *il*s.

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss *ontrol ****ks w**n s*rvin* *il*s *m****** in pu*lis*** *ont*nt. `*il*::**tURL()` lik*ly provi*** *ir**t ****ss URLs wit*out *onsi**rin* *m****** *ont*xt p*rmissions, w*il* `*ss*tStor*::**t*sStr**m()` s*rv*