Search for packages
| purl | pkg:composer/silverstripe/admin@1.0.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a2ds-v3du-3qcm
Aliases: GHSA-4q66-g4mm-8rg5 GMS-2023-1800 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in silverstripe/admin. |
Affected by 1 other vulnerability. |
|
VCID-k6d6-ebmd-jufu
Aliases: GHSA-jxcx-3h54-qqxx GMS-2023-1964 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in silverstripe/admin. |
Affected by 1 other vulnerability. |
|
VCID-kfgu-7y1x-vugs
Aliases: CVE-2022-38146 GHSA-44xv-v98g-v79f |
URL XSS vulnerability due to outdated jquery in CMS Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3). |
Affected by 4 other vulnerabilities. |
|
VCID-pq29-qe7h-tkcp
Aliases: CVE-2019-12205 GHSA-rfvw-5848-gxc5 |
Silverstripe Flash Clipboard Reflected XSS SilverStripe versions 3.0.0 until 4.3.5 and 4.4.4 are vulnerable to Flash Clipboard Reflected XSS. Versions 4.3.5 and 4.4.4 of `silverstripe/framework` and version 1.3.5 of `silverstripe/admin` contain a fix for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-r237-7hnx-kbeq
Aliases: CVE-2023-49783 GHSA-j3m6-gvm8-mhvw |
No permission checks for editing/deleting records with CSV import form ### Impact Users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelyhood of a user having create permissions but _not_ having edit or delete permissions is low, but it _is_ possible. Note that this doesn't affect any `ModelAdmin` which has had the import form disabled via the [`showImportForm` public property](https://api.silverstripe.org/4/SilverStripe/Admin/ModelAdmin.html#property_showImportForm), nor does it impact the `SecurityAdmin` section. #### Action may be required If you have a custom implementation of [`BulkLoader`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html), you should update your implementation to respect permissions when the return value of [`getCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_getCheckPermissions) is true. If you are using any `BulkLoader` in your own project logic, or maintain a module which uses it, you should consider passing `true` to [`setCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_setCheckPermissions) if the data is provided by users. **Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C&version=3.1) **Reported by:** Guy Sartorelli from Silverstripe ### References - https://www.silverstripe.org/download/security-releases/CVE-2023-49783 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tc2y-zrea-vyb2
Aliases: CVE-2021-36150 GHSA-j66h-cc96-c32q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SilverStripe Framework suffers from a XSS vulnerablity. |
Affected by 5 other vulnerabilities. |
|
VCID-udzs-xehs-d3cd
Aliases: GHSA-wqm8-jx8r-8rcq GMS-2023-1193 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in silverstripe/admin. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-116r-5a94-fuds | Silverstripe admin XSS Vulnerability via WYSIWYG editor It is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript. |
GHSA-779c-7w4p-2c4g
|