Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/200470?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/200470?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.4-rc1", "type": "composer", "namespace": "silverstripe", "name": "cms", "version": "3.1.4-rc1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.4.0-rc1", "latest_non_vulnerable_version": "4.11.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38042?format=api", "vulnerability_id": "VCID-2c84-9xxd-pub2", "summary": "CSRF vulnerability in GridFieldAddExistingAutocompleter\nGridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS.", "references": [ { "reference_url": "http://www.silverstripe.org/download/security-releases/ss-2016-002/", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.silverstripe.org/download/security-releases/ss-2016-002/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52568?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/52569?format=api", "purl": "pkg:composer/silverstripe/cms@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/52570?format=api", "purl": "pkg:composer/silverstripe/cms@3.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.3.0" } ], "aliases": [ "SS-2016-002" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2c84-9xxd-pub2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37805?format=api", "vulnerability_id": "VCID-3djp-e58j-2qey", "summary": "Cross-site Scripting\nHistory XSS Vulnerability in silverstripe.", "references": [ { "reference_url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-003/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-003/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/200482?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.10-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-p8xv-3qj1-h3g8" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.10-rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52154?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-p8xv-3qj1-h3g8" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.10" } ], "aliases": [ "SS-2015-003-1" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3djp-e58j-2qey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37803?format=api", "vulnerability_id": "VCID-3uu7-zheq-duh4", "summary": "Cross-site Scripting\nVirtualPage XSS in silverstripe.", "references": [ { "reference_url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-005/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-005/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/200482?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.10-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-p8xv-3qj1-h3g8" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.10-rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52154?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-p8xv-3qj1-h3g8" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.10" } ], "aliases": [ "SS-2015-005-1" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3uu7-zheq-duh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38041?format=api", "vulnerability_id": "VCID-5cd5-kmjz-h7bv", "summary": "Hostname, IP and Protocol Spoofing through HTTP Headers\nIn it's default configuration, SilverStripe trusts all originating IPs to include HTTP headers for Hostname, IP and Protocol. This enables reverse proxies to forward requests while still retaining the original request information. Trusted IPs can be limited via the `SS_TRUSTED_PROXY_IPS` constant. Even with this restriction in place, SilverStripe trusts a variety of HTTP headers due to different proxy notations (e.g. `X-Forwarded-For` vs. `Client-IP`). Unless a proxy explicitly unsets invalid HTTP headers from connecting clients, this can lead to spoofing requests being passed through trusted proxies. The impact of spoofed headers can include `Director::forceSSL()` not being enforced, SS_HTTPRequest->getIP() returning a wrong IP (disabling any IP restrictions), and spoofed hostnames circumventing any hostname-specific restrictions enforced in SilverStripe Controllers. Regardless on running a reverse proxy in your hosting infrastructure, please follow the instructions on Secure Coding: Request hostname forgery in order to opt-in to these protections. If your website is not behind a reverse proxy, you might already be protected if using Apache with mod_env enabled, and you have the following line in your .htaccess file: `SetEnv BlockUntrustedIPs true`.", "references": [ { "reference_url": "http://www.silverstripe.org/download/security-releases/ss-2016-003/", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.silverstripe.org/download/security-releases/ss-2016-003/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52568?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/52569?format=api", "purl": "pkg:composer/silverstripe/cms@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/52570?format=api", "purl": "pkg:composer/silverstripe/cms@3.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.3.0" } ], "aliases": [ "SS-2016-003" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cd5-kmjz-h7bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37955?format=api", "vulnerability_id": "VCID-efqa-bbj4-zyhd", "summary": "Advanced workflow member field exposure\nBy default, the CMS Admin editable template for the NotifyUsers action has access to a large number of fields, including (for instance) `Member#Password`. This would allow a malicious CMS Admin to extract other admin passwords by adding a template emailing these fields to themselves when other admins trigger the workflow. A new configuration option has been added; when this option is set to `true` via the Config API then only member fields specified via `Member.summary_fields` may be accessed.", "references": [ { "reference_url": "http://www.silverstripe.org/download/security-releases/SS-2015-023", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.silverstripe.org/download/security-releases/SS-2015-023" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52422?format=api", "purl": "pkg:composer/silverstripe/cms@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/202099?format=api", "purl": "pkg:composer/silverstripe/cms@3.3.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.3.0-rc2" } ], "aliases": [ "SS-2015-023" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-efqa-bbj4-zyhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37825?format=api", "vulnerability_id": "VCID-p8xv-3qj1-h3g8", "summary": "Incorrect Permission Assignment for Critical Resource\nSiteTree Creation Permission Vulnerability in silverstripe.", "references": [ { "reference_url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52214?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/200760?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.13-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2c84-9xxd-pub2" }, { "vulnerability": "VCID-5cd5-kmjz-h7bv" }, { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-wdcz-6vpn-ffd8" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.13-rc1" } ], "aliases": [ "SS-2015-008-1" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p8xv-3qj1-h3g8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38043?format=api", "vulnerability_id": "VCID-wdcz-6vpn-ffd8", "summary": "Missing security check on dev/build/defaults\nThe `buildDefaults` method on `DevelopmentAdmin` is missing a permission check. In live mode, if you access /dev/build, you are requested to login first. However, if you access /dev/build/defaults, then the action is performed without any login check. This should be protected in the same way that /dev/build is. The `buildDefaults` view is `requireDefaultRecords()` on each `DataObject` class, and hence has the potential to modify database state. It also lists all modified tables, allowing attackers more insight into which modules are used, and how the database tables are structured.", "references": [ { "reference_url": "http://www.silverstripe.org/download/security-releases/ss-2015-028/", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.silverstripe.org/download/security-releases/ss-2015-028/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52568?format=api", "purl": "pkg:composer/silverstripe/cms@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/52569?format=api", "purl": "pkg:composer/silverstripe/cms@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-efqa-bbj4-zyhd" }, { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/52570?format=api", "purl": "pkg:composer/silverstripe/cms@3.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-z94y-nz4f-y7er" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.3.0" } ], "aliases": [ "SS-2015-028" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wdcz-6vpn-ffd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51850?format=api", "vulnerability_id": "VCID-z94y-nz4f-y7er", "summary": "Improper Privilege Management\nIn SilverStripe, a missing warning about leaving `install.php` in a public webroot can lead to unauthenticated admin access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12204", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00832", "scoring_system": "epss", "scoring_elements": "0.74941", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12204" }, { "reference_url": "https://forum.silverstripe.org/c/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://forum.silverstripe.org/c/releases" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12204.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12204.yaml" }, { "reference_url": "https://packagist.org/packages/silverstripe/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/silverstripe/cms" }, { "reference_url": "https://packagist.org/packages/silverstripe/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/silverstripe/framework" }, { "reference_url": "https://www.silverstripe.org/download/security-releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.silverstripe.org/download/security-releases" }, { "reference_url": "https://www.silverstripe.org/download/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.silverstripe.org/download/security-releases/" }, { "reference_url": "https://www.silverstripe.org/download/security-releases/cve-2019-12204", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.silverstripe.org/download/security-releases/cve-2019-12204" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12204", "reference_id": "CVE-2019-12204", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12204" }, { "reference_url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12204", "reference_id": "CVE-2019-12204", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.silverstripe.org/download/security-releases/CVE-2019-12204" }, { "reference_url": "https://github.com/advisories/GHSA-cg8j-8w52-735v", "reference_id": "GHSA-cg8j-8w52-735v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cg8j-8w52-735v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76181?format=api", "purl": "pkg:composer/silverstripe/cms@4.3.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@4.3.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/244109?format=api", "purl": "pkg:composer/silverstripe/cms@4.4.0-rc1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@4.4.0-rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/76182?format=api", "purl": "pkg:composer/silverstripe/cms@4.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@4.4.4" } ], "aliases": [ "CVE-2019-12204", "GHSA-cg8j-8w52-735v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z94y-nz4f-y7er" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/cms@3.1.4-rc1" }