Latest silverstripe silverstripe Vulnerabilities

● CVE-2021-41559

CVE-2021-41559: Quadratic blowup in Convert::xml2array()

composer/silverstripe/framework>=4.0.0<4.10.9

Silverstripe silverstripe<4.10.9

● CVE-2022-24444

CVE-2022-24444: Hybridsessions does not expire session id on logout

composer/silverstripe/hybridsessions>=1.0.0<2.4.1>=2.5.0<2.5.1

Silverstripe silverstripe<=2.4.0

Silverstripe silverstripe=2.5.0

● CVE-2022-28803

CVE-2022-28803: Stored XSS in link tags added via XHR

composer/silverstripe/framework>=4.0.0<4.10.9

Silverstripe silverstripe<4.10.9

● CVE-2022-37421

CVE-2022-37421 - Stored XSS in custom meta tags

composer/silverstripe/cms>=4.0.0<4.11.3

Silverstripe silverstripe>=3.0.0<4.11.3

● CVE-2021-36150

CVE-2021-36150 - Insert from files link text - Reflective (self) Cross Site Scripting

composer/silverstripe/admin>=1.0.0<1.8.1

Silverstripe silverstripe>=1.0.0<1.8.1

Silverstripe silverstripe>1.9.0<=4.8.1

composer/silverstripe/admin>=1.0.0<1.8.1

● CVE-2020-25817

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When t...

Silverstripe silverstripe<4.6.0

Silverstripe silverstripe=4.6.0-rc1

composer/silverstripe/framework>=4.0.0<4.7.4

● CVE-2020-26136

CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

composer/silverstripe/graphql>=3.0.0<3.5.0>=4.0.0-alpha1<4.0.0-alpha2

Silverstripe silverstripe<4.6.0

Silverstripe silverstripe=4.6.0-rc1

composer/silverstripe/graphql>=4.0.0-alpha1<4.0.0-alpha2

composer/silverstripe/graphql>=3.0.0<3.5.0

<4.6.0

and 1 more

● CVE-2020-26138

CVE-2020-26138 FormField: with square brackets in field name skips validation

composer/silverstripe/framework>=3.0.0<4.0.0>=4.0.0<4.7.4

Silverstripe silverstripe<4.6.0

Silverstripe silverstripe=4.6.0-rc1

composer/silverstripe/framework>=3.0.0<4.7.4

<4.6.0

=4.6.0-rc1

● CVE-2021-28661

CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass

composer/silverstripe/graphql>=3.0.0<3.5.2

Silverstripe silverstripe>=3.0.0<=3.4.1

composer/silverstripe/graphql>=3.0.0<3.5.2

● CVE-2020-9311

CVE-2020-9311: Malicious user profile information can cause login form XSS

composer/silverstripe/framework>=3.0.0<3.7.5

composer/silverstripe/cms<=4.5.0

Silverstripe silverstripe>=3.0.0<3.7.5

composer/silverstripe/framework>=3.0.0<3.7.5

>=3.0.0<3.7.5

● CVE-2019-19326

CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder

composer/silverstripe/framework>=4.0.0<4.4.7>=4.5.0<4.5.4>=3.0.0<3.7.5

Silverstripe silverstripe>=3.0.0<3.7.5

Silverstripe silverstripe>=4.0.0<4.4.7

Silverstripe silverstripe>=4.5.0<4.5.4

● CVE-2020-6165

CVE-2020-6165: Limited queries break CanViewPermissionChecker

composer/silverstripe/graphql>=3.2.0<3.2.4

composer/silverstripe/recipe-cms>=4.5.0<4.5.3

Silverstripe silverstripe>=3.2.0<3.2.4

Silverstripe silverstripe>=3.2.5<3.3.0

Silverstripe silverstripe>=4.5.0<4.5.3

and 3 more

● CVE-2020-6164

CVE-2020-6164: Information disclosure on /interactive URL path

composer/silverstripe/framework>=4.0.0<4.4.7>=4.5.0<4.5.4

composer/silverstripe/cms<=4.5.0

Silverstripe silverstripe<=3.0.0

Silverstripe silverstripe>=4.0.0<4.4.7

Silverstripe silverstripe>=4.5.0<4.5.4

composer/silverstripe/framework>=4.5.0<4.5.4

and 4 more

● CVE-2019-19325

CVE-2019-19325: XSS through non-scalar FormField attributes

composer/silverstripe/framework>=4.0.0<4.4.5>=4.5.0<4.5.2

Silverstripe silverstripe>=4.4.0<4.4.5

Silverstripe silverstripe>=4.5.0<4.5.2

composer/silverstripe/framework>=4.0.0<4.4.5

composer/silverstripe/framework>=4.5.0<4.5.2

● CVE-2019-14273

CVE-2019-14273: Broken Access control on files

composer/silverstripe/framework>=4.0.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe<=4.0.0

composer/silverstripe/framework>=4.4.0<4.4.4

composer/silverstripe/framework>=4.0.0<4.3.5

● CVE-2019-12203

CVE-2019-12203: Session fixation in "change password" form

composer/silverstripe/framework>=3.6.0<3.6.8>=3.7.0<3.7.4>=4.0.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe<=4.3.3

composer/silverstripe/framework>=4.0.0<4.3.5

composer/silverstripe/framework>=3.6.0<3.6.8

composer/silverstripe/framework>=4.4.0<4.4.4

composer/silverstripe/framework>=3.7.0<3.7.4

and 1 more

● CVE-2019-12204

CVE-2019-12204: Missing warning on install.php on public webroot can lead to unauthenticated admin access

composer/silverstripe/framework>=4.1.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe>=4.1.0<=4.3.3

composer/silverstripe/framework>=4.1.0<4.3.5

composer/silverstripe/cms>=4.4.0<4.4.4

>=4.1.0<=4.3.3

● CVE-2019-16409

CVE-2019-16409: Secureassets and versionedfiles modules can expose versions of protected files

composer/silverstripe/framework>=4.0.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe>=3.0.0<=3.7.4

Symbiote Versionedfiles<=2.0.3

composer/silverstripe/framework>=4.4.0<4.4.4

composer/silverstripe/framework>=4.0.0<4.3.5

composer/symbiote/silverstripe-versionedfiles<=2.0.3

and 2 more

● CVE-2019-12205

CVE-2019-12205: Clipboard Reflected XSS

composer/silverstripe/admin<1.3.5

composer/silverstripe/framework>=4.4.0-rc1<4.4.4

composer/silverstripe/framework>=3.0.0<4.3.5

composer/silverstripe/framework>=3.0.0<3.9.99>=4.3.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe<=4.3.3

● CVE-2019-14272

CVE-2019-14272: XSS in file titles managed through the CMS

composer/silverstripe/framework>=4.0.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe<=4.0.0

composer/silverstripe/framework>=4.4.0<4.4.4

composer/silverstripe/framework>=4.0.0<4.3.5

● CVE-2019-12617

CVE-2019-12617: Access escalation for CMS users with limited access through permission cache pollution

composer/silverstripe/framework>=4.3.0<4.3.5>=4.4.0<4.4.4

Silverstripe silverstripe<=4.3.3

composer/silverstripe/framework>=4.3.0<4.3.5

composer/silverstripe/framework>=4.4.0<4.4.4

● CVE-2019-12245

CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders

composer/silverstripe/assets>=1.0.0<1.3.5>=1.4.0<1.4.4

Silverstripe silverstripe<=4.3.3

composer/silverstripe/assets>=1.4.0<1.4.4

composer/silverstripe/assets>=1.0.0<1.3.5

composer/silverstripe/framework>=4.4.0<4.4.4

composer/silverstripe/framework>=4.0.0<4.3.6

and 2 more

● CVE-2020-9280

CVE-2020-9280: Folders migrated from 3.x may be unsafe to upload to

composer/silverstripe/assets>=1.0.0<1.4.7>=1.5.0<1.5.2

Silverstripe silverstripe>=4.0.0<=4.5.0

composer/silverstripe/assets>=1.5.0<1.5.2

composer/silverstripe/assets>=1.0.0<1.4.7

composer/silverstripe/userforms>=5.0.0<5.4.2

composer/silverstripe/framework>=4.0.0<4.4.6

● CVE-2019-12437

CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL

composer/silverstripe/graphql>=2.0.0<2.0.5>=3.0.0<3.1.2>=3.1.0<3.1.2

Silverstripe silverstripe<=4.3.3

composer/silverstripe/graphql>=3.1.0<3.1.2

composer/silverstripe/graphql>=2.0.0<2.0.5

● CVE-2019-12246

CVE-2019-12246: Denial of Service on flush and development URL tools

composer/silverstripe/framework>=4.0.0<4.4.0>=4.1.0<4.4.0>=4.2.0<4.4.0>=4.3.0<4.4.0

Silverstripe silverstripe<=4.3.3

composer/silverstripe/framework<=3.6

composer/silverstripe/framework>=4.0.0<4.4.0

● CVE-2019-5715

All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.

composer/silverstripe/framework>=3.0.0<3.6.7>=3.7.0<3.7.3>=4.0.0<4.0.7>=4.1.0<4.1.5>=4.2.0<4.2.4>=4.3.0<4.3.1

composer/silverstripe/framework>=3.0.0<3.6.7

composer/silverstripe/framework>=4.3.0<4.3.1

composer/silverstripe/framework>=4.2.0<4.2.4

composer/silverstripe/framework>=4.1.0<4.1.5

composer/silverstripe/framework>=3.7.0<3.7.3

and 13 more

Latest silverstripe silverstripe Vulnerabilities

Company

Resources

Contact