VulnerableCode Package Details - pkg:composer/silverstripe/cms@4.5.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-4x32-t75c-u3bj Aliases: CVE-2022-37421 GHSA-pp74-g2q5-j4jf GMS-2022-6855	Silverstipe CMS Stored XSS in custom meta tags A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut. This requires CMS access to exploit.	4.11.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4x32-t75c-u3bj
Aliases:
CVE-2022-37421
GHSA-pp74-g2q5-j4jf
GMS-2022-6855

Silverstipe CMS Stored XSS in custom meta tags A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut. This requires CMS access to exploit.

4.11.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2f9j-ek3x-kbc5	Silverstripe CMS XSS Vulnerability In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.	CVE-2020-9311 GHSA-2pw2-qpcp-m47x
VCID-g366-c4n9-vfcs	Silverstripe CMS malicious file upload enables script execution Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected.	CVE-2020-9309 GHSA-h77w-655f-6j3m
VCID-gme6-wj87-ekfw	Silverstripe CMS information disclosure In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).	CVE-2020-6164 GHSA-gm5x-hpmw-xpxg

Vulnerability

Summary

Aliases

VCID-2f9j-ek3x-kbc5

Silverstripe CMS XSS Vulnerability In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.

CVE-2020-9311
GHSA-2pw2-qpcp-m47x

VCID-g366-c4n9-vfcs

Silverstripe CMS malicious file upload enables script execution Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms. Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected.

CVE-2020-9309
GHSA-h77w-655f-6j3m

VCID-gme6-wj87-ekfw

Silverstripe CMS information disclosure In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).

CVE-2020-6164
GHSA-gm5x-hpmw-xpxg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:16:06.668370+00:00	GitLab Importer	Affected by	VCID-4x32-t75c-u3bj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/GMS-2022-6855.yml	38.4.0
2026-04-16T22:02:11.632993+00:00	GitLab Importer	Fixing	VCID-2f9j-ek3x-kbc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9311.yml	38.4.0
2026-04-16T21:57:13.754395+00:00	GitLab Importer	Fixing	VCID-gme6-wj87-ekfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-6164.yml	38.4.0
2026-04-16T21:56:39.796889+00:00	GitLab Importer	Fixing	VCID-g366-c4n9-vfcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9309.yml	38.4.0
2026-04-11T23:33:22.755468+00:00	GitLab Importer	Affected by	VCID-4x32-t75c-u3bj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/GMS-2022-6855.yml	38.3.0
2026-04-11T23:17:49.376150+00:00	GitLab Importer	Fixing	VCID-2f9j-ek3x-kbc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9311.yml	38.3.0
2026-04-11T23:12:39.035430+00:00	GitLab Importer	Fixing	VCID-gme6-wj87-ekfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-6164.yml	38.3.0
2026-04-11T23:12:02.466672+00:00	GitLab Importer	Fixing	VCID-g366-c4n9-vfcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9309.yml	38.3.0
2026-04-05T02:28:37.125563+00:00	GitLab Importer	Affected by	VCID-4x32-t75c-u3bj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/GMS-2022-6855.yml	38.1.0
2026-04-02T23:25:30.405159+00:00	GitLab Importer	Fixing	VCID-2f9j-ek3x-kbc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9311.yml	38.1.0
2026-04-02T23:20:56.624784+00:00	GitLab Importer	Fixing	VCID-gme6-wj87-ekfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-6164.yml	38.1.0
2026-04-02T23:20:25.651122+00:00	GitLab Importer	Fixing	VCID-g366-c4n9-vfcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9309.yml	38.1.0
2026-04-01T17:46:17.140776+00:00	GitLab Importer	Fixing	VCID-2f9j-ek3x-kbc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9311.yml	38.0.0
2026-04-01T17:41:38.871318+00:00	GitLab Importer	Fixing	VCID-gme6-wj87-ekfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-6164.yml	38.0.0
2026-04-01T17:41:01.820525+00:00	GitLab Importer	Fixing	VCID-g366-c4n9-vfcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/cms/CVE-2020-9309.yml	38.0.0