Packagist (Composer) package
silverstripe/assets
pkg:composer/silverstripe/assets
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24749 | Med | 5.3 | < 2.4.5 | 2.4.5 | Apr 16, 2026 | The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the curre | |
| CVE-2022-38147 | — | >= 1.0.0, < 1.11.1 | 1.11.1 | Nov 23, 2022 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3). | ||
| CVE-2022-38724 | — | >= 1.0.0, < 1.11.1 | 1.11.1 | Nov 22, 2022 | Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS. | ||
| CVE-2022-29858 | — | >= 1.0.0, < 1.10.1 | 1.10.1 | Jun 28, 2022 | Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. | ||
| CVE-2020-9280 | — | >= 1.0.0, < 1.4.7 | 1.4.7 | Apr 15, 2020 | In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. | ||
| CVE-2019-12245 | — | >= 1.0.0, < 1.3.5 | 1.3.5 | Sep 25, 2019 | SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. |
- affected < 2.4.5fixed 2.4.5
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the curre
- CVE-2022-38147Nov 23, 2022affected >= 1.0.0, < 1.11.1fixed 1.11.1
Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3).
- CVE-2022-38724Nov 22, 2022affected >= 1.0.0, < 1.11.1fixed 1.11.1
Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.
- CVE-2022-29858Jun 28, 2022affected >= 1.0.0, < 1.10.1fixed 1.10.1
Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content.
- CVE-2020-9280Apr 15, 2020affected >= 1.0.0, < 1.4.7fixed 1.4.7
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x.
- CVE-2019-12245Sep 25, 2019affected >= 1.0.0, < 1.3.5fixed 1.3.5
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.