Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/silverstripe/framework@4.0.0
Typecomposer
Namespacesilverstripe
Nameframework
Version4.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.0.1
Latest_non_vulnerable_version5.1.11
Affected_by_vulnerabilities
0
url VCID-1mmc-91gk-r3d3
vulnerability_id VCID-1mmc-91gk-r3d3
summary SilverStripe allowss Reflected SQL Injection through Form and `DataObject`.
references
0
reference_url https://www.silverstripe.org/download/security-releases/ss-2018-021
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/ss-2018-021
fixed_packages
0
url pkg:composer/silverstripe/framework@4.0.7
purl pkg:composer/silverstripe/framework@4.0.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.7
1
url pkg:composer/silverstripe/framework@4.1.5
purl pkg:composer/silverstripe/framework@4.1.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.1.5
2
url pkg:composer/silverstripe/framework@4.2.4
purl pkg:composer/silverstripe/framework@4.2.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.2.4
3
url pkg:composer/silverstripe/framework@4.3.1
purl pkg:composer/silverstripe/framework@4.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.3.1
aliases CVE-2019-5715
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1mmc-91gk-r3d3
1
url VCID-2hk2-hzyh-wbhf
vulnerability_id VCID-2hk2-hzyh-wbhf
summary 
Silverstripe Framework user enumeration via timing attack on login and password reset forms
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.

This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+
references
0
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml
reference_id
reference_type
scores
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml
1
reference_url https://github.com/silverstripe/silverstripe-framework
reference_id
reference_type
scores
url https://github.com/silverstripe/silverstripe-framework
2
reference_url https://github.com/silverstripe/silverstripe-framework/pull/11681
reference_id
reference_type
scores
url https://github.com/silverstripe/silverstripe-framework/pull/11681
3
reference_url https://www.silverstripe.org/download/security-releases/ss-2017-005
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/ss-2017-005
4
reference_url https://www.silverstripe.org/download/security-releases/ss-2025-001
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/ss-2025-001
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-12849
reference_id CVE-2017-12849
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-12849
6
reference_url https://github.com/advisories/GHSA-256q-hx8w-xcqx
reference_id GHSA-256q-hx8w-xcqx
reference_type
scores
url https://github.com/advisories/GHSA-256q-hx8w-xcqx
7
reference_url https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx
reference_id GHSA-256q-hx8w-xcqx
reference_type
scores
url https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx
fixed_packages
0
url pkg:composer/silverstripe/framework@5.3.23
purl pkg:composer/silverstripe/framework@5.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.23
aliases GHSA-256q-hx8w-xcqx
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2hk2-hzyh-wbhf
2
url VCID-7hxq-cp29-r7dh
vulnerability_id VCID-7hxq-cp29-r7dh
summary 
Cross-site Scripting
In SilverStripe asset-admin, there is XSS in file titles managed through the CMS.
references
0
reference_url https://forum.silverstripe.org/c/releases
reference_id
reference_type
scores
url https://forum.silverstripe.org/c/releases
1
reference_url https://www.silverstripe.org/blog/tag/release
reference_id
reference_type
scores
url https://www.silverstripe.org/blog/tag/release
2
reference_url https://www.silverstripe.org/download/security-releases/
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-14272
reference_id CVE-2019-14272
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-14272
4
reference_url https://www.silverstripe.org/download/security-releases/CVE-2019-14272
reference_id CVE-2019-14272
reference_type
scores
url https://www.silverstripe.org/download/security-releases/CVE-2019-14272
fixed_packages
0
url pkg:composer/silverstripe/framework@4.0.1
purl pkg:composer/silverstripe/framework@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.1
aliases CVE-2019-14272
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7hxq-cp29-r7dh
3
url VCID-mkex-ht2r-cucz
vulnerability_id VCID-mkex-ht2r-cucz
summary 
Files or Directories Accessible to External Parties
In SilverStripe, there is broken access control on files.
references
0
reference_url https://forum.silverstripe.org/c/releases
reference_id
reference_type
scores
url https://forum.silverstripe.org/c/releases
1
reference_url https://www.silverstripe.org/blog/tag/release
reference_id
reference_type
scores
url https://www.silverstripe.org/blog/tag/release
2
reference_url https://www.silverstripe.org/download/security-releases/
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-14273
reference_id CVE-2019-14273
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-14273
4
reference_url https://www.silverstripe.org/download/security-releases/CVE-2019-14273
reference_id CVE-2019-14273
reference_type
scores
url https://www.silverstripe.org/download/security-releases/CVE-2019-14273
fixed_packages
0
url pkg:composer/silverstripe/framework@4.0.1
purl pkg:composer/silverstripe/framework@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.1
aliases CVE-2019-14273
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mkex-ht2r-cucz
4
url VCID-nzcm-xbxx-wyf9
vulnerability_id VCID-nzcm-xbxx-wyf9
summary 
SilverStripe Versioned Files module Unpublished files are exposed publicly
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)
references
0
reference_url https://github.com/silverstripe/silverstripe-framework
reference_id
reference_type
scores
url https://github.com/silverstripe/silverstripe-framework
1
reference_url https://github.com/symbiote/silverstripe-versionedfiles
reference_id
reference_type
scores
url https://github.com/symbiote/silverstripe-versionedfiles
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16409
reference_id CVE-2019-16409
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-16409
3
reference_url https://www.silverstripe.org/download/security-releases/cve-2019-16409
reference_id CVE-2019-16409
reference_type
scores
url https://www.silverstripe.org/download/security-releases/cve-2019-16409
4
reference_url https://www.silverstripe.org/download/security-releases/cve-2019-16409/
reference_id CVE-2019-16409
reference_type
scores
url https://www.silverstripe.org/download/security-releases/cve-2019-16409/
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-16409.yaml
reference_id CVE-2019-16409.YAML
reference_type
scores
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-16409.yaml
6
reference_url https://github.com/advisories/GHSA-xm6j-x342-gwq9
reference_id GHSA-xm6j-x342-gwq9
reference_type
scores
url https://github.com/advisories/GHSA-xm6j-x342-gwq9
fixed_packages
0
url pkg:composer/silverstripe/framework@4.3.5
purl pkg:composer/silverstripe/framework@4.3.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.3.5
1
url pkg:composer/silverstripe/framework@4.4.4
purl pkg:composer/silverstripe/framework@4.4.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.4.4
aliases CVE-2019-16409, GHSA-xm6j-x342-gwq9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcm-xbxx-wyf9
5
url VCID-qdwg-f2bx-1bay
vulnerability_id VCID-qdwg-f2bx-1bay
summary 
Injection Vulnerability
In the CSV export feature of SilverStripe, it is possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software.
references
0
reference_url https://www.exploit-db.com/exploits/43396/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/43396/
1
reference_url https://www.silverstripe.org/download/security-releases/ss-2017-007
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/ss-2017-007
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-18049
reference_id CVE-2017-18049
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-18049
fixed_packages
0
url pkg:composer/silverstripe/framework@4.0.1
purl pkg:composer/silverstripe/framework@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.1
aliases CVE-2017-18049
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qdwg-f2bx-1bay
6
url VCID-ru3j-21j8-ayhm
vulnerability_id VCID-ru3j-21j8-ayhm
summary 
Unrestricted Upload of File with Dangerous Type
In SilverStripe, files uploaded via Forms to folders migrated from Silverstripe may be put to the default `/Uploads` folder instead.
references
0
reference_url https://forum.silverstripe.org/c/releases
reference_id
reference_type
scores
url https://forum.silverstripe.org/c/releases
1
reference_url https://www.silverstripe.org/download/security-releases/
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-9280
reference_id CVE-2020-9280
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-9280
3
reference_url https://www.silverstripe.org/download/security-releases/cve-2020-9280
reference_id CVE-2020-9280
reference_type
scores
url https://www.silverstripe.org/download/security-releases/cve-2020-9280
fixed_packages
0
url pkg:composer/silverstripe/framework@4.5.1
purl pkg:composer/silverstripe/framework@4.5.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.5.1
aliases CVE-2020-9280
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ru3j-21j8-ayhm
7
url VCID-ytbc-8mhd-b3fc
vulnerability_id VCID-ytbc-8mhd-b3fc
summary 
Information Exposure
In SilverStripe, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
references
0
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-6164
reference_id CVE-2020-6164
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-6164
1
reference_url https://www.silverstripe.org/download/security-releases/CVE-2020-6164
reference_id CVE-2020-6164
reference_type
scores
url https://www.silverstripe.org/download/security-releases/CVE-2020-6164
fixed_packages
0
url pkg:composer/silverstripe/framework@4.5.4
purl pkg:composer/silverstripe/framework@4.5.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.5.4
aliases CVE-2020-6164
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ytbc-8mhd-b3fc
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.0.0