CVE-2020-26138: 
PHP vulnerability analysis and mitigation

In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation. This vulnerability affects the FileField class commonly used for file upload in custom code on SilverStripe websites. The vulnerability is tracked as CVE-2020-26138 and was disclosed on June 8, 2021 (NVD).

The vulnerability exists in the FileField class which is designed for single file uploads. When square brackets are added to the field name, PHP allows submitting multiple values, coercing the FileField to accept multiple files - an unsupported feature. In this scenario, critical security controls like file extension validation and FileField->saveInto() behavior are bypassed. The vulnerability affects SilverStripe framework versions ^3.0.0 and ^4.0.0, and was fixed in versions ^4.7.4 and ^4.8.0. The vulnerability has been assigned a CVSS base score of 3.4 (Low severity) (Silverstripe Security).

If custom controller logic is used to process file uploads while implicitly relying on Form system validation, the bypass could allow uploading of files with unauthorized extensions. This primarily affects custom implementations using FileField, not the UploadField used within the CMS (Silverstripe Security).

The vulnerability was patched in SilverStripe framework versions 4.7.4 and 4.8.0. Users should upgrade to these or newer versions. The issue only affects FileField implementations, not the UploadField used within the CMS (Silverstripe Security).