{"url":"http://public2.vulnerablecode.io/api/packages/60382?format=json","purl":"pkg:composer/silverstripe/framework@4.10.1","type":"composer","namespace":"silverstripe","name":"framework","version":"4.10.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.3.23","latest_non_vulnerable_version":"6.0.0-alpha1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56522?format=json","vulnerability_id":"VCID-11sx-j3x7-gkcr","summary":"Reflected Cross Site Scripting (XSS) in error message\nIf a website has been set to the \"dev\" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-002.yaml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-002.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2024-002","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2024-002"},{"reference_url":"https://github.com/advisories/GHSA-74j9-xhqr-6qv3","reference_id":"GHSA-74j9-xhqr-6qv3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-74j9-xhqr-6qv3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83724?format=json","purl":"pkg:composer/silverstripe/framework@5.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-79qx-v5uu-jyf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.8"}],"aliases":["GHSA-74j9-xhqr-6qv3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-11sx-j3x7-gkcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110589?format=json","vulnerability_id":"VCID-1p79-328x-sueq","summary":"Quadratic blowup in Convert::xml2array()\nSilverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41559","reference_id":"","reference_type":"","scores":[{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57671","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57619","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41559"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2021-41559.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2021-41559.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/releases","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/releases"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41559","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41559"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/","reference_id":"","reference_type":"","scores":[],"url":"https://www.silverstripe.org/download/security-releases/"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2021-41559","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2021-41559"},{"reference_url":"https://github.com/advisories/GHSA-9fmg-89fx-r33w","reference_id":"GHSA-9fmg-89fx-r33w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9fmg-89fx-r33w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149279?format=json","purl":"pkg:composer/silverstripe/framework@4.10.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-7w7t-3783-1kbs"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9t4k-8hsz-bfdw"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-ca4q-xd4v-vqfe"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-uy47-3s8a-hbdn"},{"vulnerability":"VCID-xm4q-u96p-57dd"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.10.9"},{"url":"http://public2.vulnerablecode.io/api/packages/595466?format=json","purl":"pkg:composer/silverstripe/framework@4.11.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7w7t-3783-1kbs"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9t4k-8hsz-bfdw"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-ca4q-xd4v-vqfe"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-uy47-3s8a-hbdn"},{"vulnerability":"VCID-xm4q-u96p-57dd"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.0-beta1"}],"aliases":["CVE-2021-41559","GHSA-9fmg-89fx-r33w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1p79-328x-sueq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110792?format=json","vulnerability_id":"VCID-24a5-ruc4-bycq","summary":"Stored XSS in link tags added via XHR in SilverStripe Framework\nSilverStripe Framework 4.x prior to 4.10.9 is vulnerable to cross-site scripting inside the href attribute of an HTML hyperlink, which can be added to website content via XMLHttpRequest (XHR) by an authenticated CMS user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-28803","reference_id":"","reference_type":"","scores":[{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40417","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00188","scoring_system":"epss","scoring_elements":"0.40497","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-28803"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-28803.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-28803.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28803","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28803"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-28803","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-28803"},{"reference_url":"https://github.com/advisories/GHSA-rppc-655v-7j3c","reference_id":"GHSA-rppc-655v-7j3c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rppc-655v-7j3c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149279?format=json","purl":"pkg:composer/silverstripe/framework@4.10.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-7w7t-3783-1kbs"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9t4k-8hsz-bfdw"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-ca4q-xd4v-vqfe"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-uy47-3s8a-hbdn"},{"vulnerability":"VCID-xm4q-u96p-57dd"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.10.9"}],"aliases":["CVE-2022-28803","GHSA-rppc-655v-7j3c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-24a5-ruc4-bycq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57120?format=json","vulnerability_id":"VCID-2hk2-hzyh-wbhf","summary":"Silverstripe Framework user enumeration via timing attack on login and password reset forms\nUser enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.\n\nThis was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/pull/11681","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/pull/11681"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2017-005","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2017-005"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2025-001","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2025-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12849","reference_id":"CVE-2017-12849","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12849"},{"reference_url":"https://github.com/advisories/GHSA-256q-hx8w-xcqx","reference_id":"GHSA-256q-hx8w-xcqx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-256q-hx8w-xcqx"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx","reference_id":"GHSA-256q-hx8w-xcqx","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84817?format=json","purl":"pkg:composer/silverstripe/framework@5.3.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.23"}],"aliases":["GHSA-256q-hx8w-xcqx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2hk2-hzyh-wbhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56456?format=json","vulnerability_id":"VCID-5cfa-whq6-9ucp","summary":"Silverstripe Framework has a XSS in form messages\nIn some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message.\n\nSome form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53277","reference_id":"","reference_type":"","scores":[{"value":"0.01452","scoring_system":"epss","scoring_elements":"0.81169","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53277"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:52:17Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53277","reference_id":"CVE-2024-53277","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53277"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2024-53277","reference_id":"CVE-2024-53277","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:52:17Z/"}],"url":"https://www.silverstripe.org/download/security-releases/cve-2024-53277"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-53277.yaml","reference_id":"CVE-2024-53277.YAML","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-53277.yaml"},{"reference_url":"https://github.com/advisories/GHSA-ff6q-3c9c-6cf5","reference_id":"GHSA-ff6q-3c9c-6cf5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-ff6q-3c9c-6cf5"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5","reference_id":"GHSA-ff6q-3c9c-6cf5","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:52:17Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83724?format=json","purl":"pkg:composer/silverstripe/framework@5.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-79qx-v5uu-jyf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/794824?format=json","purl":"pkg:composer/silverstripe/framework@6.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@6.0.0-alpha1"}],"aliases":["CVE-2024-53277","GHSA-ff6q-3c9c-6cf5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5cfa-whq6-9ucp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57123?format=json","vulnerability_id":"VCID-79qx-v5uu-jyf2","summary":"Silverstripe Framework has a XSS vulnerability in HTML editor\nA bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.\n\nThe server-side sanitisation logic has been updated to sanitise against this attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30148","reference_id":"","reference_type":"","scores":[{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45229","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30148"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-10T13:34:01Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/pull/11682","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/pull/11682"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30148","reference_id":"CVE-2025-30148","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30148"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2025-30148","reference_id":"CVE-2025-30148","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-10T13:34:01Z/"}],"url":"https://www.silverstripe.org/download/security-releases/cve-2025-30148"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2025-30148.yaml","reference_id":"CVE-2025-30148.YAML","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2025-30148.yaml"},{"reference_url":"https://github.com/advisories/GHSA-rhx4-hvx9-j387","reference_id":"GHSA-rhx4-hvx9-j387","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rhx4-hvx9-j387"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387","reference_id":"GHSA-rhx4-hvx9-j387","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-10T13:34:01Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84817?format=json","purl":"pkg:composer/silverstripe/framework@5.3.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.23"}],"aliases":["CVE-2025-30148","GHSA-rhx4-hvx9-j387"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-79qx-v5uu-jyf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110159?format=json","vulnerability_id":"VCID-7gak-15m5-j3f5","summary":"Blind SQL Injection via GridFieldSortableHeader\nGridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability.\n\nAn attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38148","reference_id":"","reference_type":"","scores":[{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52915","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52855","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38148"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-30T15:26:27Z/"}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38148.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38148.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38148","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38148"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-30T15:26:27Z/"}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2022-38148","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-30T15:26:27Z/"}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2022-38148"},{"reference_url":"https://github.com/advisories/GHSA-rr8h-f97q-8p9c","reference_id":"GHSA-rr8h-f97q-8p9c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rr8h-f97q-8p9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/148572?format=json","purl":"pkg:composer/silverstripe/framework@4.10.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-uy47-3s8a-hbdn"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.10.11"},{"url":"http://public2.vulnerablecode.io/api/packages/148573?format=json","purl":"pkg:composer/silverstripe/framework@4.11.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.14"}],"aliases":["CVE-2022-38148","GHSA-rr8h-f97q-8p9c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7gak-15m5-j3f5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110112?format=json","vulnerability_id":"VCID-7w7t-3783-1kbs","summary":"Stored XSS using uppercase characters in HTMLEditor\nA malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute. An attacker must have access to the CMS to exploit this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37430","reference_id":"","reference_type":"","scores":[{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55551","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55495","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37430"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:31:52Z/"}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-37430.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-37430.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37430","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37430"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:31:52Z/"}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:31:52Z/"}],"url":"https://www.silverstripe.org/download/security-releases/"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-37430","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-37430"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2022-37430","reference_id":"CVE-2022-37430","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:31:52Z/"}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2022-37430"},{"reference_url":"https://github.com/advisories/GHSA-qw4w-vq8v-2wcv","reference_id":"GHSA-qw4w-vq8v-2wcv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qw4w-vq8v-2wcv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/148496?format=json","purl":"pkg:composer/silverstripe/framework@4.11.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.13"},{"url":"http://public2.vulnerablecode.io/api/packages/621880?format=json","purl":"pkg:composer/silverstripe/framework@4.12.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.12.0-beta1"}],"aliases":["CVE-2022-37430","GHSA-qw4w-vq8v-2wcv","GMS-2022-6857"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7w7t-3783-1kbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56468?format=json","vulnerability_id":"VCID-86vg-4j71-hkgr","summary":"Silverstripe Framework has a XSS via insert media remote file oembed\nWhen using the \"insert media\" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47605","reference_id":"","reference_type":"","scores":[{"value":"0.07112","scoring_system":"epss","scoring_elements":"0.91697","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47605"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:53:47Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52199.txt","reference_id":"CVE-2024-47605","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52199.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47605","reference_id":"CVE-2024-47605","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47605"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2024-47605","reference_id":"CVE-2024-47605","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:53:47Z/"}],"url":"https://www.silverstripe.org/download/security-releases/cve-2024-47605"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-47605.yaml","reference_id":"CVE-2024-47605.YAML","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-47605.yaml"},{"reference_url":"https://github.com/advisories/GHSA-7cmp-cgg8-4c82","reference_id":"GHSA-7cmp-cgg8-4c82","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7cmp-cgg8-4c82"},{"reference_url":"https://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82","reference_id":"GHSA-7cmp-cgg8-4c82","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:53:47Z/"}],"url":"https://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83724?format=json","purl":"pkg:composer/silverstripe/framework@5.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-79qx-v5uu-jyf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/794824?format=json","purl":"pkg:composer/silverstripe/framework@6.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@6.0.0-alpha1"}],"aliases":["CVE-2024-47605","GHSA-7cmp-cgg8-4c82"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-86vg-4j71-hkgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56477?format=json","vulnerability_id":"VCID-8u5c-6vx3-mfcr","summary":"Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message\n> [!IMPORTANT]\n> This vulnerability only affects sites which are in the \"dev\" environment mode. If your production website is in \"dev\" mode, it has been misconfigured, and you should immediately swap it to \"live\" mode.\n> See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information.\n\nIf a website has been set to the \"dev\" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.","references":[{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/a555dad4ec73c929f6316bcb4019eb325a5b77d8","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/a555dad4ec73c929f6316bcb4019eb325a5b77d8"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2024-002","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2024-002"},{"reference_url":"https://github.com/advisories/GHSA-mqf3-qpc3-g26q","reference_id":"GHSA-mqf3-qpc3-g26q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mqf3-qpc3-g26q"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-mqf3-qpc3-g26q","reference_id":"GHSA-mqf3-qpc3-g26q","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-mqf3-qpc3-g26q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83724?format=json","purl":"pkg:composer/silverstripe/framework@5.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-79qx-v5uu-jyf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/794824?format=json","purl":"pkg:composer/silverstripe/framework@6.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@6.0.0-alpha1"}],"aliases":["GHSA-mqf3-qpc3-g26q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8u5c-6vx3-mfcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110323?format=json","vulnerability_id":"VCID-9t4k-8hsz-bfdw","summary":"Reflected XSS in querystring parameters\nAn attacker could inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a /dev/build or /Security/login request.\n\nTo exploit this vulnerability, an attacker would need to convince a user to follow a link with a malicious payload.\n\nThis will only affect projects configured to output PHP warnings to the browser. By default, Silverstripe CMS will only output PHP warnings if your SS_ENVIRONMENT_TYPE environment variable is set to dev. Production sites should always set SS_ENVIRONMENT_TYPE to live.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38462","reference_id":"","reference_type":"","scores":[{"value":"0.0068","scoring_system":"epss","scoring_elements":"0.72021","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0068","scoring_system":"epss","scoring_elements":"0.71981","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38462"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:36:33Z/"}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38462.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38462.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38462","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38462"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:36:33Z/"}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-38462","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-38462"},{"reference_url":"https://github.com/advisories/GHSA-vvxf-r4vm-2vm6","reference_id":"GHSA-vvxf-r4vm-2vm6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vvxf-r4vm-2vm6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/148496?format=json","purl":"pkg:composer/silverstripe/framework@4.11.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.13"},{"url":"http://public2.vulnerablecode.io/api/packages/621880?format=json","purl":"pkg:composer/silverstripe/framework@4.12.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.12.0-beta1"}],"aliases":["CVE-2022-38462","GHSA-vvxf-r4vm-2vm6","GMS-2022-6858"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9t4k-8hsz-bfdw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46874?format=json","vulnerability_id":"VCID-9y5u-qyzd-3ud9","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nSilverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48714","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45478","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48714"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-48714.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-48714.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48714","reference_id":"CVE-2023-48714","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48714"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2023-48714","reference_id":"CVE-2023-48714","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T23:32:05Z/"}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2023-48714"},{"reference_url":"https://github.com/advisories/GHSA-qm2j-qvq3-j29v","reference_id":"GHSA-qm2j-qvq3-j29v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm2j-qvq3-j29v"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v","reference_id":"GHSA-qm2j-qvq3-j29v","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T23:32:05Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68579?format=json","purl":"pkg:composer/silverstripe/framework@4.13.39","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.13.39"},{"url":"http://public2.vulnerablecode.io/api/packages/68580?format=json","purl":"pkg:composer/silverstripe/framework@5.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.1.11"}],"aliases":["CVE-2023-48714","GHSA-qm2j-qvq3-j29v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9y5u-qyzd-3ud9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45052?format=json","vulnerability_id":"VCID-a7cf-kpzy-xudd","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nSilverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22729","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42323","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42248","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22729"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22729.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22729.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-31T16:10:14Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2023-22729","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2023-22729"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22729","reference_id":"CVE-2023-22729","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22729"},{"reference_url":"https://github.com/advisories/GHSA-fw84-xgm8-9jmv","reference_id":"GHSA-fw84-xgm8-9jmv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fw84-xgm8-9jmv"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv","reference_id":"GHSA-fw84-xgm8-9jmv","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-31T16:10:14Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64977?format=json","purl":"pkg:composer/silverstripe/framework@4.12.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.12.5"}],"aliases":["CVE-2023-22729","GHSA-fw84-xgm8-9jmv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a7cf-kpzy-xudd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110171?format=json","vulnerability_id":"VCID-ca4q-xd4v-vqfe","summary":"Silverstripe XSS in shortcodes\nA malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38724","reference_id":"","reference_type":"","scores":[{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55551","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55495","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-38724"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:33:51Z/"}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2022-38724.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2022-38724.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38724.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38724.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38724","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38724"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:33:51Z/"}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:33:51Z/"}],"url":"https://www.silverstripe.org/download/security-releases/"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-38724","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-38724"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2022-38724","reference_id":"CVE-2022-38724","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:33:51Z/"}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2022-38724"},{"reference_url":"https://github.com/advisories/GHSA-9cx2-hj6m-fv58","reference_id":"GHSA-9cx2-hj6m-fv58","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9cx2-hj6m-fv58"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/148496?format=json","purl":"pkg:composer/silverstripe/framework@4.11.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.13"},{"url":"http://public2.vulnerablecode.io/api/packages/621880?format=json","purl":"pkg:composer/silverstripe/framework@4.12.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.12.0-beta1"}],"aliases":["CVE-2022-38724","GHSA-9cx2-hj6m-fv58","GMS-2022-6853","GMS-2022-6856"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ca4q-xd4v-vqfe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110569?format=json","vulnerability_id":"VCID-fmfu-81xu-pfdy","summary":"Stored XSS via HTML fields in SilverStripe Framework\nSilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25238","reference_id":"","reference_type":"","scores":[{"value":"0.00338","scoring_system":"epss","scoring_elements":"0.56878","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00338","scoring_system":"epss","scoring_elements":"0.56929","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25238"},{"reference_url":"https://docs.silverstripe.org/en/4/changelogs/4.10.1","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.silverstripe.org/en/4/changelogs/4.10.1"},{"reference_url":"https://docs.silverstripe.org/en/4/changelogs/4.10.1/","reference_id":"","reference_type":"","scores":[],"url":"https://docs.silverstripe.org/en/4/changelogs/4.10.1/"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-25238.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-25238.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25238","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25238"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/","reference_id":"","reference_type":"","scores":[],"url":"https://www.silverstripe.org/download/security-releases/"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-25238","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-25238"},{"reference_url":"https://github.com/advisories/GHSA-jx34-gqqq-r6gm","reference_id":"GHSA-jx34-gqqq-r6gm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jx34-gqqq-r6gm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149279?format=json","purl":"pkg:composer/silverstripe/framework@4.10.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-7w7t-3783-1kbs"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9t4k-8hsz-bfdw"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-ca4q-xd4v-vqfe"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-uy47-3s8a-hbdn"},{"vulnerability":"VCID-xm4q-u96p-57dd"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.10.9"}],"aliases":["CVE-2022-25238","GHSA-jx34-gqqq-r6gm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fmfu-81xu-pfdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45758?format=json","vulnerability_id":"VCID-gnpw-s9hp-wqfs","summary":"Improper Input Validation\nSilverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-32302.yaml","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-32302.yaml"},{"reference_url":"https://github.com/github/advisory-database/pull/2575","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-database/pull/2575"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2023-32302","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2023-32302"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32302","reference_id":"CVE-2023-32302","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32302"},{"reference_url":"https://github.com/advisories/GHSA-36xx-7vf6-7mv3","reference_id":"GHSA-36xx-7vf6-7mv3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-36xx-7vf6-7mv3"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3","reference_id":"GHSA-36xx-7vf6-7mv3","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66345?format=json","purl":"pkg:composer/silverstripe/framework@4.13.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.13.14"},{"url":"http://public2.vulnerablecode.io/api/packages/66346?format=json","purl":"pkg:composer/silverstripe/framework@5.0.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.0.13"}],"aliases":["CVE-2023-32302","GHSA-36xx-7vf6-7mv3"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gnpw-s9hp-wqfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55532?format=json","vulnerability_id":"VCID-k46z-g6jp-57ek","summary":"Silverstripe uses TinyMCE which allows svg files linked in object tags\nTinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `<object>` or `<embed>` tags, which can be used as a vector for XSS attacks.\n\nNote that `<embed>` tags are not allowed by default.\n\nAfter patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `<object>` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `<object>` tags. Developers can override this configuration if desired to revert to the original behaviour.\n\nWe reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-001.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-001.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2024-001","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2024-001"},{"reference_url":"https://github.com/advisories/GHSA-52cw-pvq9-9m5v","reference_id":"GHSA-52cw-pvq9-9m5v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-52cw-pvq9-9m5v"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-52cw-pvq9-9m5v","reference_id":"GHSA-52cw-pvq9-9m5v","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-52cw-pvq9-9m5v"},{"reference_url":"https://github.com/advisories/GHSA-5359-pvf2-pw78","reference_id":"GHSA-5359-pvf2-pw78","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5359-pvf2-pw78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82195?format=json","purl":"pkg:composer/silverstripe/framework@5.2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.2.16"}],"aliases":["GHSA-52cw-pvq9-9m5v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k46z-g6jp-57ek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55529?format=json","vulnerability_id":"VCID-ky21-z2d2-sye6","summary":"Silverstripe Framework has a Cross-site Scripting vulnerability with encoded payload\nA bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.\n\nThe server-side sanitisation logic has been updated to sanitise against this type of attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32981","reference_id":"","reference_type":"","scores":[{"value":"0.0105","scoring_system":"epss","scoring_elements":"0.7791","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32981"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-18T13:18:39Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32981","reference_id":"CVE-2024-32981","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32981"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2024-32981","reference_id":"CVE-2024-32981","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-18T13:18:39Z/"}],"url":"https://www.silverstripe.org/download/security-releases/cve-2024-32981"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-32981.yaml","reference_id":"CVE-2024-32981.YAML","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-32981.yaml"},{"reference_url":"https://github.com/advisories/GHSA-chx7-9x8h-r5mg","reference_id":"GHSA-chx7-9x8h-r5mg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-chx7-9x8h-r5mg"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg","reference_id":"GHSA-chx7-9x8h-r5mg","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-18T13:18:39Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82195?format=json","purl":"pkg:composer/silverstripe/framework@5.2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@5.2.16"}],"aliases":["CVE-2024-32981","GHSA-chx7-9x8h-r5mg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ky21-z2d2-sye6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110076?format=json","vulnerability_id":"VCID-uy47-3s8a-hbdn","summary":"Silverstipe CMS Stored XSS in custom meta tags\nA malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut.\nThis requires CMS access to exploit.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37421","reference_id":"","reference_type":"","scores":[{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55551","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55495","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37421"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:34:09Z/"}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/CVE-2022-37421.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/CVE-2022-37421.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37421","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37421"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:34:09Z/"}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:34:09Z/"}],"url":"https://www.silverstripe.org/download/security-releases/"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-37421","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-37421"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2022-37421","reference_id":"CVE-2022-37421","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:34:09Z/"}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2022-37421"},{"reference_url":"https://github.com/advisories/GHSA-pp74-g2q5-j4jf","reference_id":"GHSA-pp74-g2q5-j4jf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pp74-g2q5-j4jf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/504775?format=json","purl":"pkg:composer/silverstripe/framework@4.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-7w7t-3783-1kbs"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9t4k-8hsz-bfdw"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-ca4q-xd4v-vqfe"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-xm4q-u96p-57dd"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.3"}],"aliases":["CVE-2022-37421","GHSA-pp74-g2q5-j4jf","GMS-2022-6855"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uy47-3s8a-hbdn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110084?format=json","vulnerability_id":"VCID-xm4q-u96p-57dd","summary":"Stored XSS using HTMLEditor\nA malicious content author could add a JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters.\n\nAn attacker must have access to the CMS to exploit this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37429","reference_id":"","reference_type":"","scores":[{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55551","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55495","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37429"},{"reference_url":"https://forum.silverstripe.org/c/releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:33:03Z/"}],"url":"https://forum.silverstripe.org/c/releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-37429.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-37429.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37429","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37429"},{"reference_url":"https://www.silverstripe.org/blog/tag/release","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:33:03Z/"}],"url":"https://www.silverstripe.org/blog/tag/release"},{"reference_url":"https://www.silverstripe.org/download/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases"},{"reference_url":"https://www.silverstripe.org/download/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:33:03Z/"}],"url":"https://www.silverstripe.org/download/security-releases/"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2022-37429","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2022-37429"},{"reference_url":"https://www.silverstripe.org/download/security-releases/CVE-2022-37429","reference_id":"CVE-2022-37429","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T20:33:03Z/"}],"url":"https://www.silverstripe.org/download/security-releases/CVE-2022-37429"},{"reference_url":"https://github.com/advisories/GHSA-wc6r-4ggc-79w5","reference_id":"GHSA-wc6r-4ggc-79w5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wc6r-4ggc-79w5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/148496?format=json","purl":"pkg:composer/silverstripe/framework@4.11.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.11.13"},{"url":"http://public2.vulnerablecode.io/api/packages/621880?format=json","purl":"pkg:composer/silverstripe/framework@4.12.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.12.0-beta1"}],"aliases":["CVE-2022-37429","GHSA-wc6r-4ggc-79w5","GMS-2022-6859"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xm4q-u96p-57dd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45062?format=json","vulnerability_id":"VCID-zdge-zsmz-8ud9","summary":"Missing Authorization\nSilverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22728","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1724","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17318","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22728"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22728.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22728.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-31T16:10:52Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58"},{"reference_url":"https://www.silverstripe.org/download/security-releases/cve-2023-22728","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/cve-2023-22728"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22728","reference_id":"CVE-2023-22728","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22728"},{"reference_url":"https://github.com/advisories/GHSA-jh3w-6jp2-vqqm","reference_id":"GHSA-jh3w-6jp2-vqqm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jh3w-6jp2-vqqm"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm","reference_id":"GHSA-jh3w-6jp2-vqqm","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-31T16:10:52Z/"}],"url":"https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64977?format=json","purl":"pkg:composer/silverstripe/framework@4.12.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.12.5"}],"aliases":["CVE-2023-22728","GHSA-jh3w-6jp2-vqqm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zdge-zsmz-8ud9"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42251?format=json","vulnerability_id":"VCID-hcuz-gz3w-97ew","summary":"Business Logic Errors in GitHub repository silverstripe/silverstripe-framework","references":[{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/cbf2987a616e9ef4d7eccae5d763ef2179bdbcc2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/cbf2987a616e9ef4d7eccae5d763ef2179bdbcc2"},{"reference_url":"https://huntr.dev/bounties/35631e3a-f4b9-41ad-857c-7e3021932a72","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/35631e3a-f4b9-41ad-857c-7e3021932a72"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0227","reference_id":"CVE-2022-0227","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0227"},{"reference_url":"https://github.com/advisories/GHSA-32m2-9f76-4gv8","reference_id":"GHSA-32m2-9f76-4gv8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-32m2-9f76-4gv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60382?format=json","purl":"pkg:composer/silverstripe/framework@4.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11sx-j3x7-gkcr"},{"vulnerability":"VCID-1p79-328x-sueq"},{"vulnerability":"VCID-24a5-ruc4-bycq"},{"vulnerability":"VCID-2hk2-hzyh-wbhf"},{"vulnerability":"VCID-5cfa-whq6-9ucp"},{"vulnerability":"VCID-79qx-v5uu-jyf2"},{"vulnerability":"VCID-7gak-15m5-j3f5"},{"vulnerability":"VCID-7w7t-3783-1kbs"},{"vulnerability":"VCID-86vg-4j71-hkgr"},{"vulnerability":"VCID-8u5c-6vx3-mfcr"},{"vulnerability":"VCID-9t4k-8hsz-bfdw"},{"vulnerability":"VCID-9y5u-qyzd-3ud9"},{"vulnerability":"VCID-a7cf-kpzy-xudd"},{"vulnerability":"VCID-ca4q-xd4v-vqfe"},{"vulnerability":"VCID-fmfu-81xu-pfdy"},{"vulnerability":"VCID-gnpw-s9hp-wqfs"},{"vulnerability":"VCID-k46z-g6jp-57ek"},{"vulnerability":"VCID-ky21-z2d2-sye6"},{"vulnerability":"VCID-uy47-3s8a-hbdn"},{"vulnerability":"VCID-xm4q-u96p-57dd"},{"vulnerability":"VCID-zdge-zsmz-8ud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.10.1"}],"aliases":["CVE-2022-0227","GHSA-32m2-9f76-4gv8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hcuz-gz3w-97ew"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@4.10.1"}