VulnerableCode Package Details - pkg:composer/silverstripe/cms@4.0.0-beta2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/silverstripe/cms@4.0.0-beta2

Essentials
History (4)

purl	pkg:composer/silverstripe/cms@4.0.0-beta2

Next non-vulnerable version	4.11.3
Latest non-vulnerable version	4.11.3
Risk	4.5

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-2s8q-qgpm-cqh7 Aliases: CVE-2020-9309 GHSA-h77w-655f-6j3m	Unrestricted Upload of File with Dangerous Type Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.	4.5.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-umhc-fdfh-1fdx Aliases: CVE-2020-9311 GHSA-2pw2-qpcp-m47x	Cross-site Scripting In SilverStripe, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.	4.5.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ytbc-8mhd-b3fc Aliases: CVE-2020-6164 GHSA-gm5x-hpmw-xpxg	Information Exposure In SilverStripe, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).	4.5.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-z94y-nz4f-y7er Aliases: CVE-2019-12204 GHSA-cg8j-8w52-735v	Improper Privilege Management In SilverStripe, a missing warning about leaving `install.php` in a public webroot can lead to unauthenticated admin access.	4.3.6 Affected by 0 other vulnerabilities. 4.4.0-rc1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.4.4 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T02:33:06.041817+00:00	GitLab Importer	Affected by	VCID-umhc-fdfh-1fdx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9311.yml	38.6.0
2026-06-06T02:18:21.796563+00:00	GitLab Importer	Affected by	VCID-ytbc-8mhd-b3fc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-6164.yml	38.6.0
2026-06-06T02:16:42.406279+00:00	GitLab Importer	Affected by	VCID-2s8q-qgpm-cqh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9309.yml	38.6.0
2026-06-04T20:25:26.872341+00:00	GitLab Importer	Affected by	VCID-z94y-nz4f-y7er	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2019-12204.yml	38.6.0