Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-7bpb-cgj3-b7ay
Summary
SilverStripe Vulnerability on 'isDev', 'isTest' and 'flush' $_GET validation
When a secure token parameter is provided to a SilverStripe site (such as isDev or flush) an empty token parameter can be provided in order to bypass normal authentication parameters.

For instance, http://www.mysite.com/?isDev=1&isDevtoken will force a site to dev mode. Alternatively, "flush" could also be used in succession to cause excessive load on a victim site and risk denial of service.

The fix in this case is to ensure that empty tokens fail the validation check.
Aliases
0
alias GHSA-g4hp-pfvf-vm5w
Fixed_packages
0
url pkg:composer/silverstripe/framework@3.0.14
purl pkg:composer/silverstripe/framework@3.0.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-1uhv-fetz-j7fd
2
vulnerability VCID-36z3-nafq-6kez
3
vulnerability VCID-3x46-q9cb-7ubg
4
vulnerability VCID-4n9x-x4kd-jyfu
5
vulnerability VCID-7ek4-6y31-1qcs
6
vulnerability VCID-7hxq-cp29-r7dh
7
vulnerability VCID-at1s-qxsg-5yfs
8
vulnerability VCID-b6nm-cphj-wfgw
9
vulnerability VCID-b7xq-cz8w-ubgm
10
vulnerability VCID-b95v-49p7-fkas
11
vulnerability VCID-c437-w2zy-y7c9
12
vulnerability VCID-c6bz-jwhm-vkgp
13
vulnerability VCID-cmwn-cjff-9qau
14
vulnerability VCID-evh4-xq48-4fa6
15
vulnerability VCID-ewg1-jqza-eyez
16
vulnerability VCID-ggbg-8mtc-hudc
17
vulnerability VCID-gkkp-9fm7-jfaz
18
vulnerability VCID-h4k6-fruf-uqff
19
vulnerability VCID-hnme-cqff-c7dp
20
vulnerability VCID-m5rs-qptc-vued
21
vulnerability VCID-mkex-ht2r-cucz
22
vulnerability VCID-nu3h-nb1g-67bs
23
vulnerability VCID-nute-ndg2-z7ev
24
vulnerability VCID-q939-fszs-wfdp
25
vulnerability VCID-qdwg-f2bx-1bay
26
vulnerability VCID-r1eg-dwej-5kau
27
vulnerability VCID-t81f-5b8z-hyht
28
vulnerability VCID-umhc-fdfh-1fdx
29
vulnerability VCID-xg74-3h1h-kqaf
30
vulnerability VCID-y8et-m846-2fc6
31
vulnerability VCID-yfuu-th6b-nba4
32
vulnerability VCID-z28b-1yrx-1bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.0.14
1
url pkg:composer/silverstripe/framework@3.1.13
purl pkg:composer/silverstripe/framework@3.1.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-1uhv-fetz-j7fd
2
vulnerability VCID-36z3-nafq-6kez
3
vulnerability VCID-3x46-q9cb-7ubg
4
vulnerability VCID-4n9x-x4kd-jyfu
5
vulnerability VCID-7ek4-6y31-1qcs
6
vulnerability VCID-7hxq-cp29-r7dh
7
vulnerability VCID-at1s-qxsg-5yfs
8
vulnerability VCID-b6nm-cphj-wfgw
9
vulnerability VCID-b7xq-cz8w-ubgm
10
vulnerability VCID-b95v-49p7-fkas
11
vulnerability VCID-c437-w2zy-y7c9
12
vulnerability VCID-c6bz-jwhm-vkgp
13
vulnerability VCID-cmwn-cjff-9qau
14
vulnerability VCID-evh4-xq48-4fa6
15
vulnerability VCID-ewg1-jqza-eyez
16
vulnerability VCID-ggbg-8mtc-hudc
17
vulnerability VCID-gkkp-9fm7-jfaz
18
vulnerability VCID-h4k6-fruf-uqff
19
vulnerability VCID-hnhv-qx7p-wqcw
20
vulnerability VCID-hnme-cqff-c7dp
21
vulnerability VCID-m5rs-qptc-vued
22
vulnerability VCID-mkex-ht2r-cucz
23
vulnerability VCID-nu3h-nb1g-67bs
24
vulnerability VCID-nute-ndg2-z7ev
25
vulnerability VCID-q939-fszs-wfdp
26
vulnerability VCID-qdwg-f2bx-1bay
27
vulnerability VCID-r1eg-dwej-5kau
28
vulnerability VCID-rrmd-ud59-ffbp
29
vulnerability VCID-sfyd-qn7r-eqdg
30
vulnerability VCID-t81f-5b8z-hyht
31
vulnerability VCID-twrb-6j51-aqcy
32
vulnerability VCID-umhc-fdfh-1fdx
33
vulnerability VCID-vatm-1vbd-bfam
34
vulnerability VCID-xg74-3h1h-kqaf
35
vulnerability VCID-y8et-m846-2fc6
36
vulnerability VCID-yfuu-th6b-nba4
37
vulnerability VCID-z28b-1yrx-1bbn
38
vulnerability VCID-zckr-zxq4-jyev
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.1.13
Affected_packages
0
url pkg:composer/silverstripe/framework@3.0.0
purl pkg:composer/silverstripe/framework@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-3snr-vtda-jqdj
2
vulnerability VCID-78b6-1v3w-qfc3
3
vulnerability VCID-7bpb-cgj3-b7ay
4
vulnerability VCID-8xwp-xd3k-fqaz
5
vulnerability VCID-nu3h-nb1g-67bs
6
vulnerability VCID-pkve-yjqy-syc2
7
vulnerability VCID-sg62-98yy-2kd7
8
vulnerability VCID-umhc-fdfh-1fdx
9
vulnerability VCID-uy47-3s8a-hbdn
10
vulnerability VCID-uyxp-7fh1-77cg
11
vulnerability VCID-wmfv-vtnz-bkad
12
vulnerability VCID-xsgv-a7bd-fqh8
13
vulnerability VCID-yfuu-th6b-nba4
14
vulnerability VCID-zca8-91sf-qkb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.0.0
1
url pkg:composer/silverstripe/framework@3.1.0
purl pkg:composer/silverstripe/framework@3.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mmc-91gk-r3d3
1
vulnerability VCID-1uhv-fetz-j7fd
2
vulnerability VCID-36z3-nafq-6kez
3
vulnerability VCID-3snr-vtda-jqdj
4
vulnerability VCID-3x46-q9cb-7ubg
5
vulnerability VCID-4n9x-x4kd-jyfu
6
vulnerability VCID-554z-dzgc-2fgz
7
vulnerability VCID-55xx-k2g1-tqch
8
vulnerability VCID-5ztp-wmty-aybx
9
vulnerability VCID-78b6-1v3w-qfc3
10
vulnerability VCID-7bg1-32qq-xqg9
11
vulnerability VCID-7bpb-cgj3-b7ay
12
vulnerability VCID-7ek4-6y31-1qcs
13
vulnerability VCID-7hxq-cp29-r7dh
14
vulnerability VCID-7j9y-p9s4-y7bg
15
vulnerability VCID-7u7w-z8e3-aygf
16
vulnerability VCID-8jxx-tgck-fuf1
17
vulnerability VCID-8wmb-64qq-7uh2
18
vulnerability VCID-8xwp-xd3k-fqaz
19
vulnerability VCID-at1s-qxsg-5yfs
20
vulnerability VCID-b6nm-cphj-wfgw
21
vulnerability VCID-b7xq-cz8w-ubgm
22
vulnerability VCID-b95v-49p7-fkas
23
vulnerability VCID-c437-w2zy-y7c9
24
vulnerability VCID-c6bz-jwhm-vkgp
25
vulnerability VCID-cmwn-cjff-9qau
26
vulnerability VCID-cscn-9erz-dfh1
27
vulnerability VCID-evh4-xq48-4fa6
28
vulnerability VCID-ewg1-jqza-eyez
29
vulnerability VCID-ggbg-8mtc-hudc
30
vulnerability VCID-gkkp-9fm7-jfaz
31
vulnerability VCID-h4k6-fruf-uqff
32
vulnerability VCID-hnhv-qx7p-wqcw
33
vulnerability VCID-hnme-cqff-c7dp
34
vulnerability VCID-kgf1-m5hq-1yay
35
vulnerability VCID-m5rs-qptc-vued
36
vulnerability VCID-mkex-ht2r-cucz
37
vulnerability VCID-nu3h-nb1g-67bs
38
vulnerability VCID-nute-ndg2-z7ev
39
vulnerability VCID-puvt-j32v-77eh
40
vulnerability VCID-q939-fszs-wfdp
41
vulnerability VCID-qdwg-f2bx-1bay
42
vulnerability VCID-r1eg-dwej-5kau
43
vulnerability VCID-rmsa-pfr6-zkg3
44
vulnerability VCID-rrmd-ud59-ffbp
45
vulnerability VCID-t81f-5b8z-hyht
46
vulnerability VCID-twrb-6j51-aqcy
47
vulnerability VCID-u5bz-h3js-yygc
48
vulnerability VCID-u6za-xw77-8kgx
49
vulnerability VCID-ue4x-s1c4-zkcz
50
vulnerability VCID-umhc-fdfh-1fdx
51
vulnerability VCID-uyxp-7fh1-77cg
52
vulnerability VCID-vatm-1vbd-bfam
53
vulnerability VCID-wmfv-vtnz-bkad
54
vulnerability VCID-xg74-3h1h-kqaf
55
vulnerability VCID-y8et-m846-2fc6
56
vulnerability VCID-yfuu-th6b-nba4
57
vulnerability VCID-z28b-1yrx-1bbn
58
vulnerability VCID-zckr-zxq4-jyev
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.1.0
References
0
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-014-1.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-014-1.yaml
1
reference_url https://github.com/silverstripe/silverstripe-framework
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework
2
reference_url https://github.com/silverstripe/silverstripe-framework/commit/a978b891e13d22dddee7e0735a7032f13964447d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework/commit/a978b891e13d22dddee7e0735a7032f13964447d
3
reference_url https://github.com/silverstripe/silverstripe-framework/commit/cb6717c3f85753bdc30087f280720c6d3f639ff3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-framework/commit/cb6717c3f85753bdc30087f280720c6d3f639ff3
4
reference_url https://www.silverstripe.org/software/download/security-releases/ss-2015-014
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.silverstripe.org/software/download/security-releases/ss-2015-014
5
reference_url https://github.com/advisories/GHSA-g4hp-pfvf-vm5w
reference_id GHSA-g4hp-pfvf-vm5w
reference_type
scores
url https://github.com/advisories/GHSA-g4hp-pfvf-vm5w
Weaknesses
0
cwe_id 639
name Authorization Bypass Through User-Controlled Key
description The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-7bpb-cgj3-b7ay