Search for packages
| purl | pkg:composer/silverstripe/framework@3.1.17 |
| Next non-vulnerable version | 5.3.23 |
| Latest non-vulnerable version | 6.0.0-alpha1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2f9j-ek3x-kbc5
Aliases: CVE-2020-9311 GHSA-2pw2-qpcp-m47x |
Silverstripe CMS XSS Vulnerability In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs. |
Affected by 18 other vulnerabilities. |
|
VCID-2rbk-47h6-d7d8
Aliases: CVE-2022-0227 GHSA-32m2-9f76-4gv8 |
Business Logic Errors in GitHub repository silverstripe/silverstripe-framework |
Affected by 21 other vulnerabilities. |
|
VCID-414d-7bfm-kud7
Aliases: CVE-2021-28661 GHSA-r7rh-g777-g5gx |
Incorrect Authorization Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass. |
Affected by 40 other vulnerabilities. |
|
VCID-4f9c-aun4-wfep
Aliases: CVE-2023-22728 GHSA-jh3w-6jp2-vqqm |
Missing Authorization Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 10 other vulnerabilities. |
|
VCID-4x32-t75c-u3bj
Aliases: CVE-2022-37421 GHSA-pp74-g2q5-j4jf GMS-2022-6855 |
Silverstipe CMS Stored XSS in custom meta tags A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut. This requires CMS access to exploit. |
Affected by 17 other vulnerabilities. |
|
VCID-5pkg-j4wg-7fcn
Aliases: CVE-2023-32302 GHSA-36xx-7vf6-7mv3 |
Improper Input Validation Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-6du5-hdvd-fueb
Aliases: CVE-2019-12203 GHSA-w7r7-r8r9-vrg2 |
Session fixation in change password form SilverStripe through 4.3.3 allows session fixation in the "change password" form. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-6epx-c68d-d7bv
Aliases: CVE-2024-53277 GHSA-ff6q-3c9c-6cf5 |
Silverstripe Framework has a XSS in form messages In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-53277 ## Reported by Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/) |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6j2p-tzvx-9bdj
Aliases: SS-2016-006 |
Missing CSRF protection in login form `LoginForm` calls `disableSecurityToken()`, which causes a "shared host domain" vulnerability. |
Affected by 55 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 55 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-7dk3-gcup-2kc9
Aliases: CVE-2020-25817 GHSA-3vjc-5x79-m9r8 |
SilverStripe XXE Vulnerability in CSSContentParser SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]). |
Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-86yd-4mkt-hydr
Aliases: CVE-2023-48714 GHSA-qm2j-qvq3-j29v |
Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter ### Impact If a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. **Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C&version=3.1) **Reported by:** Nick K - LittleMonkey, [littlemonkey.co.nz](http://littlemonkey.co.nz/) ### References - https://www.silverstripe.org/download/security-releases/CVE-2023-48714 |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-8wbx-bvm9-jqcv
Aliases: SS-2016-011 |
ChangePasswordForm doesn't check Member::canLogIn() After performing a password reset, `ChangePasswordForm::doChangePassword()` logs in the user without checking `Member::canLogIn()`. This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like `Member::canLogIn()` was originally designed to only be used for checking whether the user is locked out (due to too many incorrect login attempts) but has been opened up to other uses. |
Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-a3yc-fxa1-gfhy
Aliases: CVE-2025-30148 GHSA-rhx4-hvx9-j387 |
Silverstripe Framework has a XSS vulnerability in HTML editor ### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this attack. ### Reported by James Nicoll from Fujitsu Cyber ### References - https://www.silverstripe.org/download/security-releases/cve-2025-30148 |
Affected by 0 other vulnerabilities. |
|
VCID-ab5z-bqka-xudb
Aliases: CVE-2017-18049 GHSA-2jvj-mhf2-g99w |
Injection Vulnerability In the CSV export feature of SilverStripe, it is possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software. |
Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 49 other vulnerabilities. Affected by 45 other vulnerabilities. |
|
VCID-ajga-3b99-yugh
Aliases: CVE-2020-26136 GHSA-mg2g-8pwj-r2j2 |
Authentication bypass in SilverStripe GraphQL The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though. Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler |
Affected by 23 other vulnerabilities. |
|
VCID-axxx-gpfn-mqc9
Aliases: GHSA-mqf3-qpc3-g26q |
Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/) |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bdcq-z11u-zyh5
Aliases: CVE-2019-12245 GHSA-jvx5-rm6q-gx7p |
Lack of access control on upoaded files SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-c3vp-kc9a-vkhn
Aliases: CVE-2017-14498 GHSA-j696-6m57-mcrv |
Cross-site Scripting SilverStripe CMS has an XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an `admin/assets/add` pathname. |
Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-cdgj-bdpy-ukak
Aliases: CVE-2019-12437 GHSA-fx37-56v6-85q6 |
Cross-Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL. |
Affected by 30 other vulnerabilities. |
|
VCID-cg3k-vmk4-5kdb
Aliases: GHSA-r85g-7jpv-8xrx |
silverstripe/framework has Cross-site Scripting vulnerability in CMSSecurity BackURL In follow up to [SS-2016-001](https://www.silverstripe.org/download/security-releases/ss-2016-001/) there is yet a minor unresolved fix to incorrectly encoded URL. |
Affected by 36 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-dgn7-zmwr-u3c6
Aliases: SS-2015-029 |
CSRF vulnerability in savetreenodes `savetreenode` action does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. |
Affected by 55 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 55 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-dx5f-g875-5bct
Aliases: SS-2016-014 |
Pre-existing alc_enc cookies log users in if remember me is disabled If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users. |
Affected by 40 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-eddc-w9wx-c3gq
Aliases: CVE-2019-14273 GHSA-43jj-2rwc-2m3f |
Broken access control on files In SilverStripe assets 4.0, there is broken access control on files. |
Affected by 49 other vulnerabilities. Affected by 45 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-enkd-4y44-4ueq
Aliases: CVE-2020-26138 GHSA-7mv4-4xpg-xq44 |
FormField with square brackets in field name skips validation FileField with array notation skips validation The FileField class is commonly used for file upload in custom code on a Silverstripe website. This field is designed to be used with a single file upload. PHP allows for submitting multiple values by adding square brackets to the field name. When this is done to a FileField, it will be coerced into allowing multiple files by using this notation. This is not a supported feature, though nothing is done to prevent this. In this scenario, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. If custom controller logic is used to process the file uploads, it might implicitly rely on validation to be provided by the Form system, which is not the case. |
Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-fpb7-5pwu-tyg5
Aliases: CVE-2019-12617 GHSA-6r58-4xgr-gm6m |
SilverStripe Priviledge escalation through cache pollution In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-fyxa-vzeq-ubeq
Aliases: CVE-2019-19326 GHSA-q9ff-3q93-fm8m |
SilverStripe Web Cache Poisoning through HTTPRequestBuilder SilverStripe through 4.4.4 allows Web Cache Poisoning through HTTPRequestBuilder. |
Affected by 18 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-hgkh-tcdc-ufd5
Aliases: SS-2016-012 |
Missing ACL on reports The `SS_Report`, and the reports CMS section only checks `canView()` when listing the reports that can be viewed by the current user. It does not (and should) perform `canView` checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report. |
Affected by 40 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-j6ze-f76y-cqgy
Aliases: CVE-2017-5197 GHSA-xmjh-wjc5-wg4h |
Cross-site Scripting There is an XSS in SilverStripe CMS. |
Affected by 37 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-k7bb-y315-4qb6
Aliases: SS-2016-015 |
XSS In OptionsetField and CheckboxSetField List of key / value pairs assigned to `OptionsetField` or `CheckboxSetField` do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML. |
Affected by 40 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-kak1-btjp-kqgz
Aliases: GHSA-52cw-pvq9-9m5v |
Silverstripe uses TinyMCE which allows svg files linked in object tags ### Impact TinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `<object>` or `<embed>` tags, which can be used as a vector for XSS attacks. Note that `<embed>` tags are not allowed by default. After patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `<object>` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `<object>` tags. Developers can override this configuration if desired to revert to the original behaviour. We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS. ### References: - https://www.silverstripe.org/download/security-releases/ss-2024-001 - https://github.com/advisories/GHSA-5359-pvf2-pw78 |
Affected by 6 other vulnerabilities. |
|
VCID-kdyk-rrrr-pufw
Aliases: CVE-2017-12849 GHSA-fwhr-g5r4-xgxf |
Information Exposure Response discrepancy in the login and password reset forms in SilverStripe CMS allows remote attackers to enumerate users via timing attack. |
Affected by 35 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-kqk7-mdnd-hfc7
Aliases: GHSA-r9vp-fp72-xgf7 |
silverstripe/framework's `Member.Name` is not escaped The core template `framework/templates/Includes/GridField_print.ss` uses "Printed by $Member.Name". If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly. |
Affected by 40 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-krjm-ygks-wyct
Aliases: GHSA-97jm-g33h-f46g |
silverstripe/framework ReadOnly transformation for formfields exploitable Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default. SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn't overwrite data on form construction. Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic. |
Affected by 36 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-kvhv-9fj5-7kgk
Aliases: CVE-2024-47605 GHSA-7cmp-cgg8-4c82 |
Silverstripe Framework has a XSS via insert media remote file oembed ### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/) |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kw9p-5fbc-hudg
Aliases: GHSA-74j9-xhqr-6qv3 |
Reflected Cross Site Scripting (XSS) in error message If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. |
Affected by 2 other vulnerabilities. |
|
VCID-kxa8-dmva-ayff
Aliases: CVE-2021-41559 GHSA-9fmg-89fx-r33w |
Quadratic blowup in Convert::xml2array() Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. |
Affected by 18 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-p2kq-rkh6-ayeu
Aliases: CVE-2019-5715 GHSA-wvfw-w3x6-g526 |
SilverStripe allowss Reflected SQL Injection through Form and `DataObject`. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-p52e-s67u-eya7
Aliases: SS-2016-013 |
Member.Name isn't escaped The core template `framework/templates/Includes/GridField_print.ss` uses "Printed by $Member.Name". If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because `Member->getName()` just returns the raw `FirstName + Surname` as a string, which is injected directly. |
Affected by 40 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-pq29-qe7h-tkcp
Aliases: CVE-2019-12205 GHSA-rfvw-5848-gxc5 |
Silverstripe Flash Clipboard Reflected XSS SilverStripe versions 3.0.0 until 4.3.5 and 4.4.4 are vulnerable to Flash Clipboard Reflected XSS. Versions 4.3.5 and 4.4.4 of `silverstripe/framework` and version 1.3.5 of `silverstripe/admin` contain a fix for this issue. |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-qm38-1cwk-b3hq
Aliases: CVE-2023-22729 GHSA-fw84-xgm8-9jmv |
URL Redirection to Untrusted Site ('Open Redirect') Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 10 other vulnerabilities. |
|
VCID-t17w-gcwe-eue4
Aliases: GHSA-qp29-wcc2-vmpc |
Silverstripe HtmlEditor embed url sanitisation "Add from URL" doesn't clearly sanitise URL server side HtmlEditorField_Toolbar has an action HtmlEditorField_Toolbar#viewfile, which gets called by the CMS when adding a media "from a URL" (i.e. via oembed). This action gets the URL to add in the GET parameter FileURL. However it doesn't do any URL sanitising server side. The current logic will pass this through to Oembed, which will probably reject most dangerous URLs, but it's possible future changes would break this. |
Affected by 56 other vulnerabilities. |
|
VCID-tc2y-zrea-vyb2
Aliases: CVE-2021-36150 GHSA-j66h-cc96-c32q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SilverStripe Framework suffers from a XSS vulnerablity. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-tm1s-2m92-uyh9
Aliases: CVE-2019-14272 GHSA-jgw2-f5mx-rg7h |
SilverStripe asset-admin Cross-site Scripting (XSS) In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. |
Affected by 49 other vulnerabilities. Affected by 45 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-tuwu-cznx-jqdb
Aliases: SS-2016-001 |
XSS in CMSController BackURL A XSS risk exists in the returnURL parameter passed to CMSSecurity/success. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. |
Affected by 55 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 55 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-u49v-31sv-eqc3
Aliases: CVE-2019-12246 GHSA-5fr8-xhqq-4p3q |
SilverStripe Denial of Service on flush and development URL tools SilverStripe before 4.4.0 allows a Denial of Service on flush and development URL tools. |
Affected by 30 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-wazt-hn99-qkdk
Aliases: SS-2016-005 |
Brute force bypass on default admin Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password. |
Affected by 55 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 55 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-wrnm-d19b-hqby
Aliases: SS-2016-008 |
Password encryption salt expiry When a user changes their password, the internal salt used for hashing their password is not updated. |
Affected by 40 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-ya8k-c5s5-47gx
Aliases: SS-2017-001 |
XSS In page name SilverStripe is vulnerable to XSS via the page name. For instance, page name `"><svg/onload=alert(/xss/)>` will trigger an XSS alert. |
Affected by 37 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-yuer-yn1w-q3gw
Aliases: CVE-2024-32981 GHSA-chx7-9x8h-r5mg |
Silverstripe Framework has a Cross-site Scripting vulnerability with encoded payload ### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-32981 |
Affected by 6 other vulnerabilities. |
|
VCID-z7fk-zbvh-quew
Aliases: SS-2016-016 |
XSS In CMSSecurity BackURL In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL. |
Affected by 36 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-zgy5-8cgd-gqhm
Aliases: SS-2016-004 |
XSS in CMS Edit Page Due to a lack of parameter sanitisation a carefully crafted URL could be used to inject arbitrary HTML into the CMS Edit page. An attacker could create a URL and share it with a site administrator to perform an attack. |
Affected by 55 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 54 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 55 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-zxmh-xcvd-53fe
Aliases: SS-2016-010 |
ReadOnly transformation for formfields exploitable Form fields returning `isReadonly()` as true are vulnerable to reflected XSS injections. This includes `ReadonlyField`, `LookupField`, `HTMLReadonlyField`, as well as special purpose fields like `TimeField_Readonly`. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default. SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and does not overwrite data on form construction. Readonly and disabled form fields are already filtered out in `saveInto()`, so maliciously submitted data on these fields does not make it into the database unless you are accessing form values directly in your saving logic. |
Affected by 36 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 39 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-5k79-mfyz-xqhu | SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers |
SS-2016-003-1
|
| VCID-eaqw-9k5p-pybr | Silverstripe CSRF vulnerability in GridFieldAddExistingAutocompleter GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS. The resolution for this issue is to ensure that all gridFieldAlterAction submissions are checked for the SecurityID token during submission. |
GHSA-2hpc-mf4q-j885
|
| VCID-te88-ws12-3bc8 | Silverstripe Hostname, IP and Protocol Spoofing through HTTP Headers In it's default configuration, SilverStripe trusts all originating IPs to include HTTP headers for Hostname, IP and Protocol. This enables reverse proxies to forward requests while still retaining the original request information. Trusted IPs can be limited via the SS_TRUSTED_PROXY_IPS constant. Even with this restriction in place, SilverStripe trusts a variety of HTTP headers due to different proxy notations (e.g. X-Forwarded-For vs. Client-IP). Unless a proxy explicitly unsets invalid HTTP headers from connecting clients, this can lead to spoofing requests being passed through trusted proxies. The impact of spoofed headers can include Director::forceSSL() not being enforced, SS_HTTPRequest->getIP() returning a wrong IP (disabling any IP restrictions), and spoofed hostnames circumventing any hostname-specific restrictions enforced in SilverStripe Controllers. Regardless on running a reverse proxy in your hosting infrastructure, please follow the instructions on Secure Coding: Request hostname forgery in order to opt-in to these protections. If your website is not behind a reverse proxy, you might already be protected if using Apache with mod_env enabled, and you have the following line in your .htaccess file: SetEnv BlockUntrustedIPs true. |
GHSA-87pf-7x99-5xc4
|
| VCID-ypfw-xhud-bbfs | Silverstripe Missing security check on dev/build/defaults The buildDefaults method on DevelopmentAdmin is missing a permission check. In live mode, if you access /dev/build, you are requested to login first. However, if you access /dev/build/defaults, then the action is performed without any login check. This should be protected in the same way that /dev/build is. The buildDefaults view is requireDefaultRecords() on each DataObject class, and hence has the potential to modify database state. It also lists all modified tables, allowing attackers more insight into which modules are used, and how the database tables are structured. |
GHSA-x5w2-wcr8-9q45
|
| VCID-zr7a-tdxv-rqff | Cross-Site Request Forgery (CSRF) CSRF vulnerability in `GridFieldAddExistingAutocompleter`. |
SS-2016-002-1
|
| VCID-zr8u-z3r4-cbct | Improper Authentication 'Missing security check on `dev/build/defaults`. |
SS-2015-028-1
|