Packagist (Composer) package

silverstripe/framework

pkg:composer/silverstripe/framework

Vulnerabilities (36)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-9280	—	>= 4.0.0, < 4.4.6	4.4.6	Apr 15, 2020	In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x.
CVE-2019-12246	—	>= 4.0.0, < 4.4.0	4.4.0	Feb 19, 2020	SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
CVE-2019-19325	—	>= 4.5.0, < 4.5.2	4.5.2	Feb 17, 2020	SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
CVE-2019-16409	—	>= 4.0.0, < 4.3.5	4.3.5	Sep 26, 2019	In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who
CVE-2019-12617	—	>= 4.4.0, < 4.4.4	4.4.4	Sep 26, 2019	In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
CVE-2019-14272	—	>= 4.0.0, < 4.3.5	4.3.5	Sep 26, 2019	In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
CVE-2019-14273	—	>= 4.0.0, < 4.3.5	4.3.5	Sep 26, 2019	In SilverStripe assets 4.0, there is broken access control on files.
CVE-2019-12205	—	>= 3.0.0, < 4.3.5	4.3.5	Sep 25, 2019	SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
CVE-2019-12203	—	>= 3.7.0, < 3.7.4	3.7.4	Sep 25, 2019	SilverStripe through 4.3.3 allows session fixation in the "change password" form.
CVE-2019-12245	—	< 3.6.8	3.6.8	Sep 25, 2019	SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
CVE-2019-12204	—	>= 4.1.0, < 4.3.5	4.3.5	Sep 25, 2019	In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
CVE-2019-5715	—	>= 3.0.0, < 3.6.7	3.6.7	Apr 11, 2019	All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
CVE-2017-18049	—	< 3.5.6	3.5.6	Jan 23, 2018	In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the
CVE-2015-5062	—	<= 3.1.13	—	Jun 24, 2015	Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build.
CVE-2012-4968	—	>= 2.3, < 2.3.13	2.3.13	Sep 17, 2012	Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) First
CVE-2010-1593	—	< 2.3.5	2.3.5	Apr 28, 2010	Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote att

CVE-2020-9280Apr 15, 2020
affected >= 4.0.0, < 4.4.6fixed 4.4.6
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x.
CVE-2019-12246Feb 19, 2020
affected >= 4.0.0, < 4.4.0fixed 4.4.0
SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
CVE-2019-19325Feb 17, 2020
affected >= 4.5.0, < 4.5.2fixed 4.5.2
SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
CVE-2019-16409Sep 26, 2019
affected >= 4.0.0, < 4.3.5fixed 4.3.5
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who
CVE-2019-12617Sep 26, 2019
affected >= 4.4.0, < 4.4.4fixed 4.4.4
In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
CVE-2019-14272Sep 26, 2019
affected >= 4.0.0, < 4.3.5fixed 4.3.5
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
CVE-2019-14273Sep 26, 2019
affected >= 4.0.0, < 4.3.5fixed 4.3.5
In SilverStripe assets 4.0, there is broken access control on files.
CVE-2019-12205Sep 25, 2019
affected >= 3.0.0, < 4.3.5fixed 4.3.5
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
CVE-2019-12203Sep 25, 2019
affected >= 3.7.0, < 3.7.4fixed 3.7.4
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
CVE-2019-12245Sep 25, 2019
affected < 3.6.8fixed 3.6.8
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
CVE-2019-12204Sep 25, 2019
affected >= 4.1.0, < 4.3.5fixed 4.3.5
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
CVE-2019-5715Apr 11, 2019
affected >= 3.0.0, < 3.6.7fixed 3.6.7
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
CVE-2017-18049Jan 23, 2018
affected < 3.5.6fixed 3.5.6
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the
CVE-2015-5062Jun 24, 2015
affected <= 3.1.13
Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build.
CVE-2012-4968Sep 17, 2012
affected >= 2.3, < 2.3.13fixed 2.3.13
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) First
CVE-2010-1593Apr 28, 2010
affected < 2.3.5fixed 2.3.5
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote att

Page 2 of 2