Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/silverstripe/framework@3.3.0-alpha0

Type composer

Namespace silverstripe

Name framework

Version 3.3.0-alpha0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.3.23

Latest_non_vulnerable_version 6.0.0-alpha1

Affected_by_vulnerabilities

url VCID-36z3-nafq-6kez

vulnerability_id VCID-36z3-nafq-6kez

summary

XSS In CMSSecurity BackURL
In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-001/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-001/

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-016/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-016/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.4

purl pkg:composer/silverstripe/framework@3.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.4

url pkg:composer/silverstripe/framework@3.4.2

purl pkg:composer/silverstripe/framework@3.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.2

aliases SS-2016-016

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-36z3-nafq-6kez

url VCID-3svb-wudn-aybz

vulnerability_id VCID-3svb-wudn-aybz

summary

VersionedRequestFilter vulnerability
A cross-site scripting vulnerability in `VersionedRequestFilter` has been found. If an incoming user request should not be able to access the requested stage, an error message is created for display on the CMS login page that they are redirected to. In this error message, the URL of the requested page is interpolated into the error message without being escaped; hence, arbitrary HTML can be injected into the CMS login page.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-007/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-007/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url pkg:composer/silverstripe/framework@3.4.1

purl pkg:composer/silverstripe/framework@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-007

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3svb-wudn-aybz

url VCID-7ek4-6y31-1qcs

vulnerability_id VCID-7ek4-6y31-1qcs

summary

Pre-existing alc_enc cookies log users in if remember me is disabled
If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-014/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-014/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url pkg:composer/silverstripe/framework@3.4.1

purl pkg:composer/silverstripe/framework@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-014

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ek4-6y31-1qcs

url VCID-at1s-qxsg-5yfs

vulnerability_id VCID-at1s-qxsg-5yfs

summary

XSS In OptionsetField and CheckboxSetField
List of key / value pairs assigned to `OptionsetField` or `CheckboxSetField` do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-015/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-015/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url pkg:composer/silverstripe/framework@3.4.1

purl pkg:composer/silverstripe/framework@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-015

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-at1s-qxsg-5yfs

url VCID-c437-w2zy-y7c9

vulnerability_id VCID-c437-w2zy-y7c9

summary

ChangePasswordForm doesn't check Member::canLogIn()
After performing a password reset, `ChangePasswordForm::doChangePassword()` logs in the user without checking `Member::canLogIn()`. This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like `Member::canLogIn()` was originally designed to only be used for checking whether the user is locked out (due to too many incorrect login attempts) but has been opened up to other uses.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-011/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-011/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url	pkg:composer/silverstripe/framework@3.4.10-stable
purl	pkg:composer/silverstripe/framework@3.4.10-stable
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.10-stable

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-011

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c437-w2zy-y7c9

url VCID-ewg1-jqza-eyez

vulnerability_id VCID-ewg1-jqza-eyez

summary

Member.Name isn't escaped
The core template `framework/templates/Includes/GridField_print.ss` uses "Printed by $Member.Name". If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because `Member->getName()` just returns the raw `FirstName + Surname` as a string, which is injected directly.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-013/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-013/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url pkg:composer/silverstripe/framework@3.4.1

purl pkg:composer/silverstripe/framework@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-013

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ewg1-jqza-eyez

url VCID-gkkp-9fm7-jfaz

vulnerability_id VCID-gkkp-9fm7-jfaz

summary

Missing ACL on reports
The `SS_Report`, and the reports CMS section only checks `canView()` when listing the reports that can be viewed by the current user. It does not (and should) perform `canView` checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-012/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-012/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url pkg:composer/silverstripe/framework@3.4.1

purl pkg:composer/silverstripe/framework@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-012

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gkkp-9fm7-jfaz

url VCID-hnme-cqff-c7dp

vulnerability_id VCID-hnme-cqff-c7dp

summary

ReadOnly transformation for formfields exploitable
Form fields returning `isReadonly()` as true are vulnerable to reflected XSS injections. This includes `ReadonlyField`, `LookupField`, `HTMLReadonlyField`, as well as special purpose fields like `TimeField_Readonly`. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default. SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and does not overwrite data on form construction. Readonly and disabled form fields are already filtered out in `saveInto()`, so maliciously submitted data on these fields does not make it into the database unless you are accessing form values directly in your saving logic.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-010/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-010/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.4

purl pkg:composer/silverstripe/framework@3.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.4

url pkg:composer/silverstripe/framework@3.4.2

purl pkg:composer/silverstripe/framework@3.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.2

aliases SS-2016-010

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hnme-cqff-c7dp

url VCID-z28b-1yrx-1bbn

vulnerability_id VCID-z28b-1yrx-1bbn

summary

Password encryption salt expiry
When a user changes their password, the internal salt used for hashing their password is not updated.

references

reference_url	https://www.silverstripe.org/download/security-releases/ss-2016-008/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/ss-2016-008/

fixed_packages

url pkg:composer/silverstripe/framework@3.3.3

purl pkg:composer/silverstripe/framework@3.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3

url pkg:composer/silverstripe/framework@3.4.1

purl pkg:composer/silverstripe/framework@3.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3j6f-5c14-uubc

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-4qjj-wqg5-dbay

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9hf4-djcv-67d7

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-bwrh-updj-zkfs

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-njph-ua7r-auaq

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-pkve-yjqy-syc2

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-qj5k-bcw3-5fgq

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-sg62-98yy-2kd7

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1

url pkg:composer/silverstripe/framework@4.0.0-alpha1

purl pkg:composer/silverstripe/framework@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-11sx-j3x7-gkcr

vulnerability	VCID-1p79-328x-sueq

vulnerability	VCID-5cfa-whq6-9ucp

vulnerability	VCID-79qx-v5uu-jyf2

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-86vg-4j71-hkgr

vulnerability	VCID-8u5c-6vx3-mfcr

vulnerability	VCID-9y5u-qyzd-3ud9

vulnerability	VCID-a7cf-kpzy-xudd

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-gnpw-s9hp-wqfs

vulnerability	VCID-hcuz-gz3w-97ew

vulnerability	VCID-k46z-g6jp-57ek

vulnerability	VCID-ky21-z2d2-sye6

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-n4fk-735u-2baw

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qmfy-dxag-uuex

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-tv7h-289s-xub4

vulnerability	VCID-uy47-3s8a-hbdn

vulnerability	VCID-wgdv-etcq-3qhw

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-zdge-zsmz-8ud9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0-alpha1

aliases SS-2016-008

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z28b-1yrx-1bbn

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.0-alpha0

Package Instance