VYPR

Packagist (Composer) package

silverstripe/framework

pkg:composer/silverstripe/framework

Vulnerabilities (36)

  • CVE-2025-30148Apr 10, 2025
    affected < 5.3.23fixed 5.3.23

    Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of t

  • CVE-2024-47605MedJan 14, 2025
    affected < 5.3.8fixed 5.3.8

    silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowin

  • CVE-2024-53277Jan 14, 2025
    affected < 5.3.8fixed 5.3.8

    Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user

  • CVE-2024-32981Jul 17, 2024
    affected < 5.2.16fixed 5.2.16

    Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload o

  • CVE-2023-48714Jan 23, 2024
    affected < 4.13.39fixed 4.13.39

    Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocomplete

  • CVE-2023-22729Apr 26, 2023
    affected < 4.12.5fixed 4.12.5

    Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a speciall

  • CVE-2023-22728Apr 26, 2023
    affected < 4.12.5fixed 4.12.5

    Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they

  • CVE-2022-37430Nov 23, 2022
    affected >= 4.0.0, < 4.11.13fixed 4.11.13

    Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).

  • CVE-2022-37429Nov 23, 2022
    affected >= 4.0.0, < 4.11.13fixed 4.11.13

    Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters.

  • CVE-2022-38724Nov 22, 2022
    affected >= 4.0.0, < 4.11.13fixed 4.11.13

    Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.

  • CVE-2022-38462Nov 22, 2022
    affected >= 4.0.0, < 4.11.13fixed 4.11.13

    Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.

  • CVE-2022-38148Nov 21, 2022
    affected >= 4.0.0, < 4.10.11fixed 4.10.11

    Silverstripe silverstripe/framework through 4.11 allows SQL Injection.

  • CVE-2022-28803Jun 29, 2022
    affected >= 4.0.0, < 4.10.9fixed 4.10.9

    In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR).

  • CVE-2022-25238Jun 28, 2022
    affected >= 4.0.0, < 4.10.9fixed 4.10.9

    Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.

  • CVE-2021-41559Jun 28, 2022
    affected >= 4.0.0, < 4.10.9fixed 4.10.9

    Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.

  • CVE-2020-25817Jun 8, 2021
    affected >= 4.0.0, < 4.7.4fixed 4.7.4

    SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitt

  • CVE-2020-26138Jun 8, 2021
    affected >= 3.0.0, < 4.7.4fixed 4.7.4

    In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation.

  • CVE-2020-9311Jul 15, 2020
    affected >= 3.0.0, < 3.7.5fixed 3.7.5

    In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.

  • CVE-2020-6164Jul 15, 2020
    affected >= 4.0.0, < 4.4.7fixed 4.4.7

    In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL p

  • CVE-2019-19326Jul 15, 2020
    affected >= 4.0.0, < 4.4.7fixed 4.4.7

    Silverstripe CMS sites through 4.4.4 which have opted into HTTP Cache Headers on responses served by the framework's HTTP layer can be vulnerable to web cache poisoning. Through modifying the X-Original-Url and X-HTTP-Method-Override headers, responses with malicious HTTP headers

Page 1 of 2