Search for packages
| purl | pkg:composer/silverstripe/cms@3.5.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2f9j-ek3x-kbc5
Aliases: CVE-2020-9311 GHSA-2pw2-qpcp-m47x |
Silverstripe CMS XSS Vulnerability In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs. |
Affected by 1 other vulnerability. |
|
VCID-658d-vmwt-f7e8
Aliases: CVE-2019-12204 GHSA-cg8j-8w52-735v |
Missing warning can lead to unauthenticated admin access in SilverStripe In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-c3vp-kc9a-vkhn
Aliases: CVE-2017-14498 GHSA-j696-6m57-mcrv |
Cross-site Scripting SilverStripe CMS has an XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an `admin/assets/add` pathname. |
Affected by 4 other vulnerabilities. |
|
VCID-g366-c4n9-vfcs
Aliases: CVE-2020-9309 GHSA-h77w-655f-6j3m |
Silverstripe CMS malicious file upload enables script execution Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected. |
Affected by 1 other vulnerability. |
|
VCID-gme6-wj87-ekfw
Aliases: CVE-2020-6164 GHSA-gm5x-hpmw-xpxg |
Silverstripe CMS information disclosure In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page). |
Affected by 1 other vulnerability. |
|
VCID-kdyk-rrrr-pufw
Aliases: CVE-2017-12849 GHSA-fwhr-g5r4-xgxf |
Information Exposure Response discrepancy in the login and password reset forms in SilverStripe CMS allows remote attackers to enumerate users via timing attack. |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-j6ze-f76y-cqgy | Cross-site Scripting There is an XSS in SilverStripe CMS. |
CVE-2017-5197
GHSA-xmjh-wjc5-wg4h |