GMS-2022-8544: Subsite weakens file permissions

December 19, 2022

The subsites module can weaken edit restrictions on some files and allow a malicious user to edit files they do not have edit rights to.

This only affects projects with the subsites module installed. Regression testing should focus on custom file logic.

Be advised that this is not a case of a user being able to edit a file in subsites they do not have access to. As a reminder, all separation of content achieved with the subsites module should be viewed as cosmetic and not appropriate for security-critical applications.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/subsites/CVE-2022-42949.yaml
github.com/advisories/GHSA-cx45-565q-6qx8
github.com/silverstripe/silverstripe-subsites/commit/73f3d15bfb90ba779dd5498fcc5ae4ab292d6272
www.silverstripe.org/download/security-releases/cve-2022-42949

Code Behaviors & Features

Detect and mitigate GMS-2022-8544 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →