GHSA-55pp-293f-3365: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-55pp-293f-3365) affects the SilverStripe UserForms module, which was discovered and disclosed on August 31, 2015. This moderate severity issue impacts versions below 3.0.0 of the silverstripe/userforms Composer package. The vulnerability involves file upload exposure in the UserForms module, where CMS administrators can create public-facing forms with file upload capabilities (SilverStripe Advisory, GitHub Advisory).

The vulnerability stems from files being uploaded to a predictable public path on the website, unless specifically configured otherwise by the CMS administrator. While the uploaded file names are not predictable, certain administrative actions could lead to exposure. For instance, submission notification emails contain direct file links without proper authorization checks. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Moderate), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness is categorized as CWE-200, indicating an information exposure vulnerability (GitHub Advisory).

The primary impact of this vulnerability is the potential exposure of uploaded files to unauthorized users. Files uploaded through the forms could be accessed by unauthorized parties if the file location becomes known, particularly through submission notification emails that contain direct links to the files without proper authorization checks (SilverStripe Advisory).

The vulnerability was patched in version 3.0.0 of the UserForms module. In this version, the file upload field is disabled by default and can only be re-enabled upon installation of the secure assets module. When enabled with the secure assets module, the system automatically applies secure permissions to the upload folders, restricting access to authorized users. Existing file upload fields require re-enabling via configuration or installation of secure assets to become editable again (SilverStripe Advisory).