VulnerableCode Package Details - pkg:composer/silverstripe/framework@6.0.0-alpha1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6epx-c68d-d7bv	Silverstripe Framework has a XSS in form messages In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-53277 ## Reported by Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/)	CVE-2024-53277 GHSA-ff6q-3c9c-6cf5
VCID-axxx-gpfn-mqc9	Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/)	GHSA-mqf3-qpc3-g26q
VCID-kvhv-9fj5-7kgk	Silverstripe Framework has a XSS via insert media remote file oembed ### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)	CVE-2024-47605 GHSA-7cmp-cgg8-4c82

Vulnerability

Summary

Aliases

VCID-6epx-c68d-d7bv

Silverstripe Framework has a XSS in form messages In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-53277 ## Reported by Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/)

CVE-2024-53277
GHSA-ff6q-3c9c-6cf5

VCID-axxx-gpfn-mqc9

Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/)

GHSA-mqf3-qpc3-g26q

VCID-kvhv-9fj5-7kgk

Silverstripe Framework has a XSS via insert media remote file oembed ### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)

CVE-2024-47605
GHSA-7cmp-cgg8-4c82

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:37:36.715112+00:00	GitLab Importer	Fixing	VCID-axxx-gpfn-mqc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-mqf3-qpc3-g26q.yml	38.3.0
2026-04-12T00:37:14.676759+00:00	GitLab Importer	Fixing	VCID-kvhv-9fj5-7kgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-47605.yml	38.3.0
2026-04-12T00:37:06.079471+00:00	GitLab Importer	Fixing	VCID-6epx-c68d-d7bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-53277.yml	38.3.0
2026-04-03T00:45:31.360716+00:00	GitLab Importer	Fixing	VCID-axxx-gpfn-mqc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-mqf3-qpc3-g26q.yml	38.1.0
2026-04-03T00:45:08.991651+00:00	GitLab Importer	Fixing	VCID-kvhv-9fj5-7kgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-47605.yml	38.1.0
2026-04-03T00:44:59.674160+00:00	GitLab Importer	Fixing	VCID-6epx-c68d-d7bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/CVE-2024-53277.yml	38.1.0