Search for packages
| purl | pkg:composer/silverstripe/framework@3.6.2-beta2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2af9-znrv-3bf7
Aliases: GHSA-4qx8-j9vh-2628 |
silverstripe/framework's User-Agent header not correctly invalidating user session |
Affected by 30 other vulnerabilities. |
|
VCID-2e1q-fc4b-mydq
Aliases: GHSA-xpff-c35g-j3cr |
silverstripe/framework Privilege Escalation Risk in Member Edit form |
Affected by 29 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-2uck-cp19-v3e9
Aliases: CVE-2022-37421 GHSA-pp74-g2q5-j4jf |
Affected by 11 other vulnerabilities. |
|
|
VCID-3497-71mw-yqh8
Aliases: CVE-2019-5715 GHSA-wvfw-w3x6-g526 |
SilverStripe allowss Reflected SQL Injection through Form and `DataObject`. |
Affected by 28 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-4mg2-rjsn-qyfx
Aliases: CVE-2019-12203 GHSA-w7r7-r8r9-vrg2 |
Affected by 28 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
|
VCID-4qq2-bbj1-8fdb
Aliases: GHSA-mqf3-qpc3-g26q |
Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5ccd-zu9e-yfgp
Aliases: CVE-2022-0227 GHSA-32m2-9f76-4gv8 |
Business Logic Errors in GitHub repository silverstripe/silverstripe-framework |
Affected by 15 other vulnerabilities. |
|
VCID-7kmy-8ht6-8fcw
Aliases: CVE-2019-12245 GHSA-jvx5-rm6q-gx7p |
Affected by 28 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
|
VCID-8csb-m7rv-xyh2
Aliases: CVE-2021-41559 GHSA-9fmg-89fx-r33w |
Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
|
VCID-8z35-2baj-cqdb
Aliases: GHSA-vh7q-j8p5-2h4h |
silverstripe/framework sends passwords back to browsers under some circumstances |
Affected by 29 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-9vwe-uejx-c3c5
Aliases: CVE-2019-12246 GHSA-5fr8-xhqq-4p3q |
Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
|
VCID-adng-1x6w-2baj
Aliases: CVE-2023-32302 GHSA-36xx-7vf6-7mv3 |
Improper Input Validation Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-cskj-c9ur-47dj
Aliases: CVE-2020-26136 GHSA-mg2g-8pwj-r2j2 |
Affected by 17 other vulnerabilities. |
|
|
VCID-d1ap-2u1x-y7gg
Aliases: CVE-2024-53277 GHSA-ff6q-3c9c-6cf5 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-d6gt-9mst-dub4
Aliases: CVE-2024-32981 GHSA-chx7-9x8h-r5mg |
Affected by 4 other vulnerabilities. |
|
|
VCID-djww-2v4e-qkb2
Aliases: CVE-2020-26138 GHSA-7mv4-4xpg-xq44 |
Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
|
VCID-ewqs-8fqc-b3hk
Aliases: GHSA-74j9-xhqr-6qv3 |
Reflected Cross Site Scripting (XSS) in error message If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. |
Affected by 0 other vulnerabilities. |
|
VCID-fn6y-hytc-r3b5
Aliases: CVE-2019-19326 GHSA-q9ff-3q93-fm8m |
Affected by 17 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
|
VCID-gr5g-7tkc-2kfa
Aliases: CVE-2023-22728 GHSA-jh3w-6jp2-vqqm |
Missing Authorization Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-hp6e-75gr-uuan
Aliases: GHSA-xx4r-5265-48j6 |
silverstripe/framework SQL injection in full text search |
Affected by 30 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-hsfb-xx67-7qg6
Aliases: GHSA-ph62-fv59-vf9h |
silverstripe/framework users inadvertently passing sensitive data to LoginAttempt |
Affected by 30 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-k1aa-deyg-2kdg
Aliases: CVE-2019-14272 GHSA-jgw2-f5mx-rg7h |
Affected by 43 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
|
VCID-k2xa-uwrr-ffez
Aliases: GHSA-52cw-pvq9-9m5v |
Silverstripe uses TinyMCE which allows svg files linked in object tags |
Affected by 4 other vulnerabilities. |
|
VCID-k6ed-y2ud-wffu
Aliases: CVE-2019-14273 GHSA-43jj-2rwc-2m3f |
Affected by 43 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
|
VCID-k8vz-xw7w-e3dg
Aliases: GHSA-mqjc-x563-c9q8 |
silverstripe/framework CSV Excel Macro Injection |
Affected by 30 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-kcq9-5h99-abct
Aliases: CVE-2024-47605 GHSA-7cmp-cgg8-4c82 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-m2bw-tabk-qyd8
Aliases: CVE-2019-12617 GHSA-6r58-4xgr-gm6m |
Affected by 24 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
|
VCID-mvra-6wnv-xya1
Aliases: CVE-2021-36150 GHSA-j66h-cc96-c32q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SilverStripe Framework suffers from a XSS vulnerablity. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-nzdu-xh5w-27g7
Aliases: CVE-2023-22729 GHSA-fw84-xgm8-9jmv |
URL Redirection to Untrusted Site ('Open Redirect') Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-pq7w-n99a-q7cj
Aliases: CVE-2017-18049 GHSA-2jvj-mhf2-g99w |
Injection Vulnerability In the CSV export feature of SilverStripe, it is possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software. |
Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 43 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-qrhh-c86j-rqe6
Aliases: CVE-2020-25817 GHSA-3vjc-5x79-m9r8 |
Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
|
VCID-tp75-2k7m-6yaw
Aliases: CVE-2020-9311 GHSA-2pw2-qpcp-m47x |
Affected by 17 other vulnerabilities. |
|
|
VCID-txyu-4qkf-r3cs
Aliases: CVE-2023-48714 GHSA-qm2j-qvq3-j29v |
Exposure of Sensitive Information to an Unauthorized Actor Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-x6g5-a61e-3khu
Aliases: CVE-2019-12205 GHSA-rfvw-5848-gxc5 |
Affected by 24 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
|
VCID-yhh9-rkh9-rqeu
Aliases: GHSA-7m2v-x7rg-5hm5 |
silverstripe/framework vulnerable to user enumeration via timing attack on login and password reset forms |
Affected by 35 other vulnerabilities. |
|
VCID-yxg1-dz91-ckgs
Aliases: CVE-2019-12437 GHSA-fx37-56v6-85q6 |
Cross-Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL. |
Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||