CVE-2020-9309: Silverstripe CMS malicious file upload enables script execution
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71691%
CWE
Published
5/24/2022
Updated
8/22/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
silverstripe/cms | composer | <= 4.5.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient MIME type validation in file upload handling. Silverstripe CMS's core Upload_Validator class relies on extension-based validation by default. When the optional mimevalidator module is absent, the validate() method in Upload_Validator does not enforce MIME type checks, allowing files with dangerous content to be uploaded if their extension is permitted. This matches the CWE-434 description and the advisory's emphasis on MIME validation being optional. The function's role in the upload validation pipeline and the module's mitigation strategy confirm its relevance.