Overview

This hotfix release includes an update from CMS Recipe 4.4.3 to 4.4.6, and from UserForms 5.4.1 to 5.4.2. Links to changelogs for each included version of the CMS Recipe can be found below.

Upgrading to Recipe 2.4.1 is recommended for all CWP sites. This upgrade can be carried out by any development team familiar with Silverstripe CMS. However, if you would like Silverstripe's assistance, you can request support via the Service Desk.

Security considerations

This release includes security fixes. Please see the release announcements for more detailed descriptions of each. We highly encourage upgrading your CWP projects to include these security patches.

  • CVE-2020-9280 - Folders migrated from 3.x may be unsafe to upload to (CVSS 5.9)
  • CVE-2019-19325 - XSS through non-scalar FormField attributes (CVSS 0.0 - mitigated on CWP infrastructure level)
  • CVE-2019-14273 - Broken Access control on files (CVSS 3.5)
  • CVE-2019-12617 - Access escalation for CMS users with limited access through permission cache pollution (CVSS 5.0)
  • CVE-2019-12245 - Incorrect access control vulnerability in files uploaded to protected folders (CVSS 5.9)
  • CVE-2019-12204 - Missing warning on install.php on public webroot can lead to unauthenticated admin access (CVSS 0.0 - mitigated on CWP infrastructure level)
  • CVE-2019-12203 - Session fixation in "change password" form (CVSS 6.5)

Upgrading Instructions

In order to update an existing site to use the new basic recipe the following changes to your composer.json can be made:

"require": {
    "cwp/cwp-recipe-core": "2.4.1@stable",
    "cwp/cwp-recipe-cms": "2.4.1@stable",
    "silverstripe/recipe-blog": "1.4.1@stable",
    "silverstripe/recipe-form-building": "1.4.1@stable",
    "silverstripe/recipe-authoring-tools": "1.4.1@stable",
    "silverstripe/recipe-collaboration": "1.4.1@stable",
    "silverstripe/recipe-reporting-tools": "1.4.1@stable",
    "cwp/cwp-recipe-search": "2.4.1@stable",
    "silverstripe/recipe-services": "1.4.1@stable",
    "silverstripe/subsites": "2.3.2@stable",
    "tractorcow/silverstripe-fluent": "4.4.1@stable",
    "silverstripe/registry": "2.2.1@stable",
    "cwp/starter-theme": "3.0.1@stable"
},
"prefer-stable": true

Change Log

Security

  • 2020-03-31 d530d5b Task for shifting UserForm uploads into correct folders (Serge Latyntcev) - See cve-2020-9280
  • 2020-02-12 d515e5e XSS through non-scalar FormField attributes (Serge Latyntcev) - See cve-2019-19325
  • 2020-02-03 ad1b00ec7 XSS through non-scalar FormField attributes (Serge Latyntcev) - See cve-2019-19325
  • 2019-09-23 8b7063a8e Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See cve-2019-12617
  • 2019-09-16 eccfa9b10 Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
  • 2019-08-20 f98a59de install.php warning does not account for public dir (Aaron Carlino) - See cve-2019-12204
  • 2019-08-17 8c7a719 Broken access control on files due to session grant (Aaron Carlino) - See cve-2019-14273
  • 2019-05-21 73e0cc6 Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See cve-2019-12245

Was this article helpful?