CVE-2019-12204
Description
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SilverStripe through 4.3.3 leaves install.php accessible, allowing unauthenticated re-installation and admin access.
Vulnerability
Description CVE-2019-12204 affects SilverStripe CMS versions up to 4.3.3. The vulnerability stems from the absence of a warning to remove the install.php script from the public webroot after installation. Administrators are not reminded to delete this file, leaving it exposed to unauthenticated users [2].
Exploitation
An attacker who can access the webroot can simply navigate to /install.php. If the file is present, they can re-run the installation process without authentication. By providing new administrative credentials, the attacker can overwrite the existing administrator account and gain full control over the SilverStripe instance [3].
Impact
Successful exploitation results in unauthenticated administrative access to the SilverStripe CMS. The attacker can then modify site content, access sensitive data, or use the compromised server for further attacks. This is a critical vulnerability as it requires no prior authentication [2].
Mitigation
The issue is addressed by removing install.php after installation. SilverStripe has released updates with warnings and automatic removal mechanisms in later versions. Users should ensure that install.php is deleted from the webroot immediately after installation [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/cmsPackagist | >= 4.4.0, < 4.4.4 | 4.4.4 |
silverstripe/frameworkPackagist | >= 4.1.0, < 4.3.5 | 4.3.5 |
Affected products
3- SilverStripe/SilverStripedescription
- ghsa-coords2 versions
>= 4.4.0, < 4.4.4+ 1 more
- (no CPE)range: >= 4.4.0, < 4.4.4
- (no CPE)range: >= 4.1.0, < 4.3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-cg8j-8w52-735vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12204ghsaADVISORY
- forum.silverstripe.org/c/releasesghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12204.yamlghsaWEB
- packagist.org/packages/silverstripe/cmsghsaWEB
- packagist.org/packages/silverstripe/frameworkghsaWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/mitrex_refsource_MISC
- www.silverstripe.org/download/security-releases/CVE-2019-12204ghsax_refsource_CONFIRMWEB
- www.silverstripe.org/download/security-releases/cve-2019-12204ghsaWEB
News mentions
0No linked articles in our index yet.