Search for packages
| purl | pkg:composer/silverstripe/assets@1.3.0-rc1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9g6t-9zca-hket
Aliases: CVE-2022-29858 GHSA-v68g-62v9-39w5 |
Unpublished, protected files can be published via shortcode Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. Draft protected images can be published by changing an existing image shortcode on website content to match the ID of the draft protected image and then publishing the website content. |
Affected by 2 other vulnerabilities. |
|
VCID-bdcq-z11u-zyh5
Aliases: CVE-2019-12245 GHSA-jvx5-rm6q-gx7p |
Lack of access control on upoaded files SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-dc9y-v257-6bhf
Aliases: CVE-2020-9280 GHSA-592m-4533-rxq9 |
SilverStripe Folders migrated from 3.x may be unsafe to upload to In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-ftdr-uzuh-8ybc
Aliases: CVE-2022-38724 GHSA-9cx2-hj6m-fv58 GMS-2022-6853 GMS-2022-6856 |
Silverstripe XSS in shortcodes A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk. |
Affected by 0 other vulnerabilities. |
|
VCID-mhey-g1u8-wbbv
Aliases: CVE-2022-38147 GHSA-vv3r-fxqp-vr3f GMS-2022-6854 |
XSS via uploaded gpx file A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data. By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||