GHSA-vcg6-8fxc-x5cq: 
PHP vulnerability analysis and mitigation

A security vulnerability (GHSA-vcg6-8fxc-x5cq) was identified in the SilverStripe framework, affecting versions 3.6.5-rc1 to 3.6.6, 4.0.3-rc1 to 4.0.4, and 4.1.0-rc1 to 4.1.1. The vulnerability was discovered in 2018 and involved dangerous file types being allowed in the default upload configuration (GitHub Advisory, SilverStripe Advisory).

The vulnerability exists in the File.allowed_extensions configuration where certain potentially dangerous file types were included in the default allowed extensions. The affected file types included .css, .js, .potm, .dotm, .xltm, and .jar files. The issue received a High severity rating with a CVSS score of 8.8, characterized by Network attack vector, Low attack complexity, Low privileges required, and No user interaction needed (GitHub Advisory).

If exploited, this vulnerability could allow a malicious CMS user to upload files that would be executed in the security context of the website, potentially leading to unauthorized code execution and system compromise. The vulnerability affects both the file upload functionality and access to existing uploads with these extensions (SilverStripe Advisory).

The issue was patched in versions 3.6.6, 4.0.4, and 4.1.1. The fix removed the ability to upload .css, .js, .potm, .dotm, .xltm, and .jar files in the default configuration. Since allowed_extensions are synchronized to webserver configuration in assets/.htaccess automatically, the fix also denies access to any existing uploads with these extensions (SilverStripe Advisory).