CVE-2020-9309
Description
Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe CMS through 4.5 allows script execution via malicious uploads with allowed file extensions due to MIME detection, affecting protected/draft files.
Vulnerability
Silverstripe CMS versions up to 4.5 are susceptible to script execution from malicious upload contents under allowed file extensions, such as HTML code embedded in a TXT file. The root cause is that the system relies on file extension whitelisting rather than content validation; when files are stored as protected or draft files, the browser's MIME detection can cause the file to be interpreted as executable content, leading to script execution. [1]
Attack
Surface Uploads stored as protected or draft files are allowed by default for authorized users only, but the attack surface can be expanded through custom logic or modules like silverstripe/userforms, potentially enabling unauthenticated users to upload malicious files. The vulnerability is triggered when a user with access to the protected/draft file views it in a browser, which may execute embedded scripts due to MIME sniffing. [1]
Impact
An authenticated attacker who can upload files with allowed extensions (e.g., TXT) can inject HTML or JavaScript that will be executed in the context of the victim's browser when the file is accessed. This can lead to cross-site scripting, data theft, or further compromise of the CMS instance.
Mitigation
Sites using the silverstripe/mimevalidator module, which enforces MIME type whitelists instead of extension whitelists, are not affected. The Common Web Platform (CWP) includes this module by default. Users should upgrade to a patched version or enable the mimevalidator module to prevent this issue. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/cmsPackagist | <= 4.5.0 | — |
Affected products
2- Silverstripe/Silverstripe CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-h77w-655f-6j3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9309ghsaADVISORY
- www.silverstripe.org/download/security-releases/CVE-2020-9309ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.