Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rbft-1w3r-3ub7
Vulnerability ID VCID-rbft-1w3r-3ub7
Aliases GHSA-3mm9-2p44-rw39
Summary Silverstripe SiteTree Creation Permission Vulnerability A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system. This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks. This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages. All users should upgrade as soon as possible.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-3mm9-2p44-rw39
cvssv3.1 7.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/SS-2015-008-1.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/SS-2015-008-1.yaml
cvssv3.1 7.5 https://github.com/silverstripe/silverstripe-cms
generic_textual HIGH https://github.com/silverstripe/silverstripe-cms
cvssv3.1 7.5 https://github.com/silverstripe/silverstripe-cms/commit/3df41e1176385215f15fffb04fcba033a5151fb4
generic_textual HIGH https://github.com/silverstripe/silverstripe-cms/commit/3df41e1176385215f15fffb04fcba033a5151fb4
cvssv3.1 7.5 https://github.com/silverstripe/silverstripe-cms/commit/64955e57d1239975183f47d3ac8c3e801ddbf122
generic_textual HIGH https://github.com/silverstripe/silverstripe-cms/commit/64955e57d1239975183f47d3ac8c3e801ddbf122
cvssv3.1 7.5 https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability
generic_textual HIGH https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability
Reference id Reference type URL
https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/SS-2015-008-1.yaml
https://github.com/silverstripe/silverstripe-cms
https://github.com/silverstripe/silverstripe-cms/commit/3df41e1176385215f15fffb04fcba033a5151fb4
https://github.com/silverstripe/silverstripe-cms/commit/64955e57d1239975183f47d3ac8c3e801ddbf122
https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability
GHSA-3mm9-2p44-rw39 https://github.com/advisories/GHSA-3mm9-2p44-rw39
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/cms/SS-2015-008-1.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/silverstripe/silverstripe-cms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/silverstripe/silverstripe-cms/commit/3df41e1176385215f15fffb04fcba033a5151fb4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/silverstripe/silverstripe-cms/commit/64955e57d1239975183f47d3ac8c3e801ddbf122
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.silverstripe.org/software/download/security-releases/ss-2015-008-sitetree-creation-permission-vulnerability
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:06.070170+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-3mm9-2p44-rw39/GHSA-3mm9-2p44-rw39.json 38.0.0