Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/silverstripe/framework@5.3.8
purl pkg:composer/silverstripe/framework@5.3.8
Next non-vulnerable version 5.3.23
Latest non-vulnerable version 6.0.0-alpha1
Risk 3.1
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-a3yc-fxa1-gfhy
Aliases:
CVE-2025-30148
GHSA-rhx4-hvx9-j387
Silverstripe Framework has a XSS vulnerability in HTML editor ### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this attack. ### Reported by James Nicoll from Fujitsu Cyber ### References - https://www.silverstripe.org/download/security-releases/cve-2025-30148
5.3.23
Affected by 0 other vulnerabilities.
VCID-qjgf-hxng-j3g9
Aliases:
GHSA-256q-hx8w-xcqx
Silverstripe Framework user enumeration via timing attack on login and password reset forms ### Impact User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials. This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+ ### References - https://www.silverstripe.org/download/security-releases/ss-2017-005 - https://www.silverstripe.org/download/security-releases/ss-2025-001
5.3.23
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-6epx-c68d-d7bv Silverstripe Framework has a XSS in form messages In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-53277 ## Reported by Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/) CVE-2024-53277
GHSA-ff6q-3c9c-6cf5
VCID-axxx-gpfn-mqc9 Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/) GHSA-mqf3-qpc3-g26q
VCID-kvhv-9fj5-7kgk Silverstripe Framework has a XSS via insert media remote file oembed ### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/) CVE-2024-47605
GHSA-7cmp-cgg8-4c82
VCID-kw9p-5fbc-hudg Reflected Cross Site Scripting (XSS) in error message If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. GHSA-74j9-xhqr-6qv3

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-12T00:45:55.849803+00:00 GitLab Importer Affected by VCID-a3yc-fxa1-gfhy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2025-30148.yml 38.3.0
2026-04-12T00:45:53.117941+00:00 GitLab Importer Affected by VCID-qjgf-hxng-j3g9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-256q-hx8w-xcqx.yml 38.3.0
2026-04-12T00:38:06.777855+00:00 GitLab Importer Fixing VCID-kw9p-5fbc-hudg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-74j9-xhqr-6qv3.yml 38.3.0
2026-04-07T04:56:52.744993+00:00 GHSA Importer Fixing VCID-kw9p-5fbc-hudg https://github.com/advisories/GHSA-74j9-xhqr-6qv3 38.1.0
2026-04-07T04:56:49.736274+00:00 GHSA Importer Fixing VCID-axxx-gpfn-mqc9 https://github.com/advisories/GHSA-mqf3-qpc3-g26q 38.1.0
2026-04-07T04:56:49.707893+00:00 GHSA Importer Fixing VCID-6epx-c68d-d7bv https://github.com/advisories/GHSA-ff6q-3c9c-6cf5 38.1.0
2026-04-07T04:56:49.674159+00:00 GHSA Importer Fixing VCID-kvhv-9fj5-7kgk https://github.com/advisories/GHSA-7cmp-cgg8-4c82 38.1.0
2026-04-03T00:53:53.634536+00:00 GitLab Importer Affected by VCID-a3yc-fxa1-gfhy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2025-30148.yml 38.1.0
2026-04-03T00:53:50.788958+00:00 GitLab Importer Affected by VCID-qjgf-hxng-j3g9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-256q-hx8w-xcqx.yml 38.1.0
2026-04-03T00:46:02.992550+00:00 GitLab Importer Fixing VCID-kw9p-5fbc-hudg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-74j9-xhqr-6qv3.yml 38.1.0
2026-04-02T12:40:43.485055+00:00 GitLab Importer Fixing VCID-kw9p-5fbc-hudg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-74j9-xhqr-6qv3.yml 38.0.0
2026-04-02T12:40:41.023174+00:00 GitLab Importer Fixing VCID-axxx-gpfn-mqc9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-mqf3-qpc3-g26q.yml 38.0.0
2026-04-02T12:40:40.216800+00:00 GitLab Importer Fixing VCID-kvhv-9fj5-7kgk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-47605.yml 38.0.0
2026-04-02T12:40:38.891225+00:00 GitLab Importer Fixing VCID-6epx-c68d-d7bv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-53277.yml 38.0.0
2026-04-01T12:55:25.763319+00:00 GithubOSV Importer Fixing VCID-kw9p-5fbc-hudg https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-74j9-xhqr-6qv3/GHSA-74j9-xhqr-6qv3.json 38.0.0
2026-04-01T12:55:23.527846+00:00 GithubOSV Importer Fixing VCID-6epx-c68d-d7bv https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-ff6q-3c9c-6cf5/GHSA-ff6q-3c9c-6cf5.json 38.0.0
2026-04-01T12:55:21.411771+00:00 GithubOSV Importer Fixing VCID-axxx-gpfn-mqc9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-mqf3-qpc3-g26q/GHSA-mqf3-qpc3-g26q.json 38.0.0
2026-04-01T12:55:21.008024+00:00 GithubOSV Importer Fixing VCID-kvhv-9fj5-7kgk https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-7cmp-cgg8-4c82/GHSA-7cmp-cgg8-4c82.json 38.0.0