Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/38043?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38043?format=api", "vulnerability_id": "VCID-wdcz-6vpn-ffd8", "summary": "Missing security check on dev/build/defaults\nThe `buildDefaults` method on `DevelopmentAdmin` is missing a permission check. In live mode, if you access /dev/build, you are requested to login first. However, if you access /dev/build/defaults, then the action is performed without any login check. This should be protected in the same way that /dev/build is. The `buildDefaults` view is `requireDefaultRecords()` on each `DataObject` class, and hence has the potential to modify database state. It also lists all modified tables, allowing attackers more insight into which modules are used, and how the database tables are structured.", "aliases": [ { "alias": "SS-2015-028" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52568?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/52569?format=api", "purl": "pkg:composer/silverstripe/cms@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/52570?format=api", "purl": "pkg:composer/silverstripe/cms@3.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.3.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52565?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.0-alpha", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.0-alpha" }, { "url": "http://public2.vulnerablecode.io/api/packages/52566?format=api", "purl": "pkg:composer/silverstripe/cms@3.2.0-alpha", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.2.0-alpha" }, { "url": "http://public2.vulnerablecode.io/api/packages/52567?format=api", "purl": "pkg:composer/silverstripe/cms@3.3.0-alpha", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.3.0-alpha" } ], "references": [ { "reference_url": "http://www.silverstripe.org/download/security-releases/ss-2015-028/", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.silverstripe.org/download/security-releases/ss-2015-028/" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wdcz-6vpn-ffd8" }