VulnerableCode Package Details - pkg:composer/silverstripe/assets@1.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-9g6t-9zca-hket Aliases: CVE-2022-29858 GHSA-v68g-62v9-39w5	Unpublished, protected files can be published via shortcode Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. Draft protected images can be published by changing an existing image shortcode on website content to match the ID of the draft protected image and then publishing the website content.	1.10.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-bdcq-z11u-zyh5 Aliases: CVE-2019-12245 GHSA-jvx5-rm6q-gx7p	Lack of access control on upoaded files SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.	1.4.4 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dc9y-v257-6bhf Aliases: CVE-2020-9280 GHSA-592m-4533-rxq9	SilverStripe Folders migrated from 3.x may be unsafe to upload to In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x.	1.4.7 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.5.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ftdr-uzuh-8ybc Aliases: CVE-2022-38724 GHSA-9cx2-hj6m-fv58 GMS-2022-6853 GMS-2022-6856	Silverstripe XSS in shortcodes A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.	1.11.1 Affected by 0 other vulnerabilities.
VCID-mhey-g1u8-wbbv Aliases: CVE-2022-38147 GHSA-vv3r-fxqp-vr3f GMS-2022-6854	XSS via uploaded gpx file A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data. By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.	1.11.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9g6t-9zca-hket
Aliases:
CVE-2022-29858
GHSA-v68g-62v9-39w5

Unpublished, protected files can be published via shortcode Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. Draft protected images can be published by changing an existing image shortcode on website content to match the ID of the draft protected image and then publishing the website content.

1.10.1
Affected by 2 other vulnerabilities.

VCID-bdcq-z11u-zyh5
Aliases:
CVE-2019-12245
GHSA-jvx5-rm6q-gx7p

Lack of access control on upoaded files SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

1.4.4
Affected by 4 other vulnerabilities.

VCID-dc9y-v257-6bhf
Aliases:
CVE-2020-9280
GHSA-592m-4533-rxq9

SilverStripe Folders migrated from 3.x may be unsafe to upload to In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files uploaded after an upgrade to 4.x.

1.4.7
Affected by 3 other vulnerabilities.

1.5.2
Affected by 3 other vulnerabilities.

VCID-ftdr-uzuh-8ybc
Aliases:
CVE-2022-38724
GHSA-9cx2-hj6m-fv58
GMS-2022-6853
GMS-2022-6856

Silverstripe XSS in shortcodes A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.

1.11.1
Affected by 0 other vulnerabilities.

VCID-mhey-g1u8-wbbv
Aliases:
CVE-2022-38147
GHSA-vv3r-fxqp-vr3f
GMS-2022-6854

XSS via uploaded gpx file A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data. By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.

1.11.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:16:09.434017+00:00	GitLab Importer	Affected by	VCID-ftdr-uzuh-8ybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/GMS-2022-6853.yml	38.4.0
2026-04-16T22:16:01.709568+00:00	GitLab Importer	Affected by	VCID-mhey-g1u8-wbbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/GMS-2022-6854.yml	38.4.0
2026-04-16T22:04:57.102631+00:00	GitLab Importer	Affected by	VCID-9g6t-9zca-hket	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2022-29858.yml	38.4.0
2026-04-16T22:01:22.708266+00:00	GitLab Importer	Affected by	VCID-dc9y-v257-6bhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2020-9280.yml	38.4.0
2026-04-16T20:58:38.773402+00:00	GitLab Importer	Affected by	VCID-bdcq-z11u-zyh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2019-12245.yml	38.4.0
2026-04-11T23:33:25.657796+00:00	GitLab Importer	Affected by	VCID-ftdr-uzuh-8ybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/GMS-2022-6853.yml	38.3.0
2026-04-11T23:33:17.504582+00:00	GitLab Importer	Affected by	VCID-mhey-g1u8-wbbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/GMS-2022-6854.yml	38.3.0
2026-04-11T23:20:48.718616+00:00	GitLab Importer	Affected by	VCID-9g6t-9zca-hket	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2022-29858.yml	38.3.0
2026-04-11T23:16:58.466739+00:00	GitLab Importer	Affected by	VCID-dc9y-v257-6bhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2020-9280.yml	38.3.0
2026-04-11T22:09:48.393426+00:00	GitLab Importer	Affected by	VCID-bdcq-z11u-zyh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2019-12245.yml	38.3.0
2026-04-05T02:28:39.665132+00:00	GitLab Importer	Affected by	VCID-ftdr-uzuh-8ybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/GMS-2022-6853.yml	38.1.0
2026-04-05T02:28:32.464961+00:00	GitLab Importer	Affected by	VCID-mhey-g1u8-wbbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/GMS-2022-6854.yml	38.1.0
2026-04-02T23:27:50.005432+00:00	GitLab Importer	Affected by	VCID-9g6t-9zca-hket	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2022-29858.yml	38.1.0
2026-04-02T23:24:45.884213+00:00	GitLab Importer	Affected by	VCID-dc9y-v257-6bhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2020-9280.yml	38.1.0
2026-04-02T22:22:25.595129+00:00	GitLab Importer	Affected by	VCID-bdcq-z11u-zyh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2019-12245.yml	38.1.0
2026-04-01T17:48:54.799533+00:00	GitLab Importer	Affected by	VCID-9g6t-9zca-hket	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2022-29858.yml	38.0.0
2026-04-01T17:45:31.483108+00:00	GitLab Importer	Affected by	VCID-dc9y-v257-6bhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2020-9280.yml	38.0.0
2026-04-01T16:40:10.716915+00:00	GitLab Importer	Affected by	VCID-bdcq-z11u-zyh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/assets/CVE-2019-12245.yml	38.0.0
2026-04-01T15:57:45.352413+00:00	GHSA Importer	Affected by	VCID-bdcq-z11u-zyh5	https://github.com/advisories/GHSA-jvx5-rm6q-gx7p	38.0.0