Search for packages
| purl | pkg:composer/silverstripe/framework@4.8.0-beta1 |
| Next non-vulnerable version | 5.3.23 |
| Latest non-vulnerable version | 6.0.0-alpha1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1p7c-bq8f-77g2
Aliases: GHSA-256q-hx8w-xcqx |
Silverstripe Framework user enumeration via timing attack on login and password reset forms ### Impact User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials. This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+ ### References - https://www.silverstripe.org/download/security-releases/ss-2017-005 - https://www.silverstripe.org/download/security-releases/ss-2025-001 |
Affected by 0 other vulnerabilities. |
|
VCID-2uck-cp19-v3e9
Aliases: CVE-2022-37421 GHSA-pp74-g2q5-j4jf |
Affected by 13 other vulnerabilities. |
|
|
VCID-4qq2-bbj1-8fdb
Aliases: GHSA-mqf3-qpc3-g26q |
Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/) |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4vmq-kug8-dug8
Aliases: CVE-2022-38148 GHSA-rr8h-f97q-8p9c |
Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
|
VCID-5ccd-zu9e-yfgp
Aliases: CVE-2022-0227 GHSA-32m2-9f76-4gv8 |
Business Logic Errors in GitHub repository silverstripe/silverstripe-framework |
Affected by 17 other vulnerabilities. |
|
VCID-5j19-xx5v-fkck
Aliases: CVE-2022-25238 GHSA-jx34-gqqq-r6gm |
Affected by 14 other vulnerabilities. |
|
|
VCID-8csb-m7rv-xyh2
Aliases: CVE-2021-41559 GHSA-9fmg-89fx-r33w |
Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
|
VCID-adng-1x6w-2baj
Aliases: CVE-2023-32302 GHSA-36xx-7vf6-7mv3 |
Improper Input Validation Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-d1ap-2u1x-y7gg
Aliases: CVE-2024-53277 GHSA-ff6q-3c9c-6cf5 |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-d6gt-9mst-dub4
Aliases: CVE-2024-32981 GHSA-chx7-9x8h-r5mg |
Affected by 6 other vulnerabilities. |
|
|
VCID-ewqs-8fqc-b3hk
Aliases: GHSA-74j9-xhqr-6qv3 |
Reflected Cross Site Scripting (XSS) in error message If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. |
Affected by 2 other vulnerabilities. |
|
VCID-gr5g-7tkc-2kfa
Aliases: CVE-2023-22728 GHSA-jh3w-6jp2-vqqm |
Missing Authorization Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 10 other vulnerabilities. |
|
VCID-hj46-jp5w-ckd1
Aliases: CVE-2022-28803 GHSA-rppc-655v-7j3c |
Affected by 14 other vulnerabilities. |
|
|
VCID-k2xa-uwrr-ffez
Aliases: GHSA-52cw-pvq9-9m5v |
Silverstripe uses TinyMCE which allows svg files linked in object tags |
Affected by 6 other vulnerabilities. |
|
VCID-kcq9-5h99-abct
Aliases: CVE-2024-47605 GHSA-7cmp-cgg8-4c82 |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-mvra-6wnv-xya1
Aliases: CVE-2021-36150 GHSA-j66h-cc96-c32q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SilverStripe Framework suffers from a XSS vulnerablity. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-nzdu-xh5w-27g7
Aliases: CVE-2023-22729 GHSA-fw84-xgm8-9jmv |
URL Redirection to Untrusted Site ('Open Redirect') Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 10 other vulnerabilities. |
|
VCID-txyu-4qkf-r3cs
Aliases: CVE-2023-48714 GHSA-qm2j-qvq3-j29v |
Exposure of Sensitive Information to an Unauthorized Actor Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-ywfx-pjg6-aqcj
Aliases: CVE-2025-30148 GHSA-rhx4-hvx9-j387 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||