VulnerableCode Package Details - pkg:composer/silverstripe/framework@5.0.0-beta2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/silverstripe/framework@5.0.0-beta2

Essentials
History (8)

purl	pkg:composer/silverstripe/framework@5.0.0-beta2

Next non-vulnerable version	5.3.23
Latest non-vulnerable version	6.0.0-alpha1
Risk	10.0

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-1p7c-bq8f-77g2 Aliases: GHSA-256q-hx8w-xcqx	Silverstripe Framework user enumeration via timing attack on login and password reset forms ### Impact User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials. This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+ ### References - https://www.silverstripe.org/download/security-releases/ss-2017-005 - https://www.silverstripe.org/download/security-releases/ss-2025-001	5.3.23 Affected by 0 other vulnerabilities.
VCID-4qq2-bbj1-8fdb Aliases: GHSA-mqf3-qpc3-g26q	Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/)	5.3.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.0-alpha1 Affected by 0 other vulnerabilities.
VCID-d1ap-2u1x-y7gg Aliases: CVE-2024-53277 GHSA-ff6q-3c9c-6cf5		5.3.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.0-alpha1 Affected by 0 other vulnerabilities.
VCID-d6gt-9mst-dub4 Aliases: CVE-2024-32981 GHSA-chx7-9x8h-r5mg		5.2.16 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ewqs-8fqc-b3hk Aliases: GHSA-74j9-xhqr-6qv3	Reflected Cross Site Scripting (XSS) in error message If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.	5.3.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-k2xa-uwrr-ffez Aliases: GHSA-52cw-pvq9-9m5v	Silverstripe uses TinyMCE which allows svg files linked in object tags	5.2.16 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-kcq9-5h99-abct Aliases: CVE-2024-47605 GHSA-7cmp-cgg8-4c82		5.3.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.0-alpha1 Affected by 0 other vulnerabilities.
VCID-ywfx-pjg6-aqcj Aliases: CVE-2025-30148 GHSA-rhx4-hvx9-j387		5.3.23 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T08:38:31.527901+00:00	GitLab Importer	Affected by	VCID-ywfx-pjg6-aqcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2025-30148.yml	38.6.0
2026-06-01T08:38:28.149375+00:00	GitLab Importer	Affected by	VCID-1p7c-bq8f-77g2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-256q-hx8w-xcqx.yml	38.6.0
2026-06-01T08:29:24.171972+00:00	GitLab Importer	Affected by	VCID-ewqs-8fqc-b3hk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-74j9-xhqr-6qv3.yml	38.6.0
2026-06-01T08:28:46.275487+00:00	GitLab Importer	Affected by	VCID-4qq2-bbj1-8fdb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-mqf3-qpc3-g26q.yml	38.6.0
2026-06-01T08:28:19.521020+00:00	GitLab Importer	Affected by	VCID-kcq9-5h99-abct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-47605.yml	38.6.0
2026-06-01T08:28:07.888564+00:00	GitLab Importer	Affected by	VCID-d1ap-2u1x-y7gg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-53277.yml	38.6.0
2026-06-01T08:10:28.207395+00:00	GitLab Importer	Affected by	VCID-k2xa-uwrr-ffez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-52cw-pvq9-9m5v.yml	38.6.0
2026-06-01T08:10:24.509885+00:00	GitLab Importer	Affected by	VCID-d6gt-9mst-dub4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-32981.yml	38.6.0