Search for packages
| purl | pkg:composer/silverstripe/framework@4.2.0-rc1 |
| Tags | Ghost |
| Next non-vulnerable version | 5.3.23 |
| Latest non-vulnerable version | 6.0.0-alpha1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-c75p-3hdz-q3b6
Aliases: GHSA-265q-222x-52m6 |
silverstripe/framework has potential SQL Injection vulnerability in PostgreSQL database connector A potential SQL injection vulnerability was identified by using the silverstripe/postgresql database adapter. While unlikely to be exploitable, we have patched silverstripe/framework to ensure that table names are safely escaped before being passed to database adapters or user code. |
Affected by 38 other vulnerabilities. |
|
VCID-kxyq-vg6e-6uac
Aliases: GHSA-cwgq-83w5-8jfq |
silverstripe/framework has possible denial of service attack vector when flushing A possible denial of service attack vector has been identified in the dev/build system controller. dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments. |
Affected by 39 other vulnerabilities. |
|
VCID-qak9-2t7g-w3fv
Aliases: GHSA-m2hh-2m46-x6j5 |
silverstripe/framework may disclose database credentials during connection failure When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details. We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur. |
Affected by 39 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||