Search for packages
| purl | pkg:composer/silverstripe/framework@4.13.0-beta1 |
| Next non-vulnerable version | 5.3.23 |
| Latest non-vulnerable version | 6.0.0-alpha1 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1p7c-bq8f-77g2
Aliases: GHSA-256q-hx8w-xcqx |
Silverstripe Framework user enumeration via timing attack on login and password reset forms ### Impact User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials. This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+ ### References - https://www.silverstripe.org/download/security-releases/ss-2017-005 - https://www.silverstripe.org/download/security-releases/ss-2025-001 |
Affected by 0 other vulnerabilities. |
|
VCID-4qq2-bbj1-8fdb
Aliases: GHSA-mqf3-qpc3-g26q |
Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/) |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-adng-1x6w-2baj
Aliases: CVE-2023-32302 GHSA-36xx-7vf6-7mv3 |
Improper Input Validation Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-d1ap-2u1x-y7gg
Aliases: CVE-2024-53277 GHSA-ff6q-3c9c-6cf5 |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-d6gt-9mst-dub4
Aliases: CVE-2024-32981 GHSA-chx7-9x8h-r5mg |
Affected by 6 other vulnerabilities. |
|
|
VCID-ewqs-8fqc-b3hk
Aliases: GHSA-74j9-xhqr-6qv3 |
Reflected Cross Site Scripting (XSS) in error message If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. |
Affected by 2 other vulnerabilities. |
|
VCID-k2xa-uwrr-ffez
Aliases: GHSA-52cw-pvq9-9m5v |
Silverstripe uses TinyMCE which allows svg files linked in object tags |
Affected by 6 other vulnerabilities. |
|
VCID-kcq9-5h99-abct
Aliases: CVE-2024-47605 GHSA-7cmp-cgg8-4c82 |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-txyu-4qkf-r3cs
Aliases: CVE-2023-48714 GHSA-qm2j-qvq3-j29v |
Exposure of Sensitive Information to an Unauthorized Actor Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-ywfx-pjg6-aqcj
Aliases: CVE-2025-30148 GHSA-rhx4-hvx9-j387 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||