Search for packages
| purl | pkg:composer/silverstripe/framework@4.9.0-alpha1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1p79-328x-sueq
Aliases: CVE-2021-41559 GHSA-9fmg-89fx-r33w |
Quadratic blowup in Convert::xml2array() Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-24a5-ruc4-bycq
Aliases: CVE-2022-28803 GHSA-rppc-655v-7j3c |
Stored XSS in link tags added via XHR in SilverStripe Framework SilverStripe Framework 4.x prior to 4.10.9 is vulnerable to cross-site scripting inside the href attribute of an HTML hyperlink, which can be added to website content via XMLHttpRequest (XHR) by an authenticated CMS user. |
Affected by 8 other vulnerabilities. |
|
VCID-7gak-15m5-j3f5
Aliases: CVE-2022-38148 GHSA-rr8h-f97q-8p9c |
Blind SQL Injection via GridFieldSortableHeader Gridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability. An attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-7w7t-3783-1kbs
Aliases: CVE-2022-37430 GHSA-qw4w-vq8v-2wcv GMS-2022-6857 |
Stored XSS using uppercase characters in HTMLEditor A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute. An attacker must have access to the CMS to exploit this issue. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-9t4k-8hsz-bfdw
Aliases: CVE-2022-38462 GHSA-vvxf-r4vm-2vm6 GMS-2022-6858 |
Reflected XSS in querystring parameters An attacker could inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a /dev/build or /Security/login request. To exploit this vulnerability, an attacker would need to convince a user to follow a link with a malicious payload. This will only affect projects configured to output PHP warnings to the browser. By default, Silverstripe CMS will only output PHP warnings if your SS_ENVIRONMENT_TYPE environment variable is set to dev. Production sites should always set SS_ENVIRONMENT_TYPE to live. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-a7cf-kpzy-xudd
Aliases: CVE-2023-22729 GHSA-fw84-xgm8-9jmv |
URL Redirection to Untrusted Site ('Open Redirect') Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-ca4q-xd4v-vqfe
Aliases: CVE-2022-38724 GHSA-9cx2-hj6m-fv58 GMS-2022-6853 GMS-2022-6856 |
Silverstripe XSS in shortcodes A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-fmfu-81xu-pfdy
Aliases: CVE-2022-25238 GHSA-jx34-gqqq-r6gm |
Stored XSS via HTML fields in SilverStripe Framework SilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. |
Affected by 8 other vulnerabilities. |
|
VCID-hcuz-gz3w-97ew
Aliases: CVE-2022-0227 GHSA-32m2-9f76-4gv8 |
Business Logic Errors in GitHub repository silverstripe/silverstripe-framework |
Affected by 11 other vulnerabilities. |
|
VCID-uy47-3s8a-hbdn
Aliases: CVE-2022-37421 GHSA-pp74-g2q5-j4jf GMS-2022-6855 |
Silverstipe CMS Stored XSS in custom meta tags A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut. This requires CMS access to exploit. |
Affected by 7 other vulnerabilities. |
|
VCID-xm4q-u96p-57dd
Aliases: CVE-2022-37429 GHSA-wc6r-4ggc-79w5 GMS-2022-6859 |
Stored XSS using HTMLEditor A malicious content author could add a JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters. An attacker must have access to the CMS to exploit this issue. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-zdge-zsmz-8ud9
Aliases: CVE-2023-22728 GHSA-jh3w-6jp2-vqqm |
Missing Authorization Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-n4fk-735u-2baw | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SilverStripe Framework suffers from a XSS vulnerablity. |
CVE-2021-36150
GHSA-j66h-cc96-c32q |