VYPR
Vendor

Silverstripe

Products
14
CVEs
58
Across products
62
Status
Private

Products

14

Recent CVEs

58
View all 58 CVEs →
  • CVE-2017-5197MedMar 6, 2017
    risk 0.40cvss 6.1epss 0.01

    There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element.

  • CVE-2015-8606MedApr 13, 2016
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/ite…

  • CVE-2017-12849MedOct 12, 2017
    risk 0.35cvss 5.3epss 0.01

    Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.

  • CVE-2026-24749MedApr 16, 2026
    risk 0.34cvss 5.3epss 0.00

    The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the…

  • CVE-2017-14498MedSep 15, 2017
    risk 0.33cvss 6.1epss 0.01

    SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue…

  • CVE-2024-47605MedJan 14, 2025
    risk 0.31cvss 5.4epss 0.01

    silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode,…

  • CVE-2025-25197MedApr 10, 2025
    risk 0.28cvss 5.4epss 0.00

    Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report.…

  • CVE-2025-30148Apr 10, 2025
    risk 0.00cvss epss 0.00

    Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of…

  • CVE-2024-53277Jan 14, 2025
    risk 0.00cvss epss 0.00

    Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the…

  • CVE-2024-32981Jul 17, 2024
    risk 0.00cvss epss 0.00

    Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload…

  • CVE-2024-29885Jul 17, 2024
    risk 0.00cvss epss 0.00

    silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns…

  • CVE-2023-49783Jan 23, 2024
    risk 0.00cvss epss 0.00

    Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or…

  • CVE-2023-48714Jan 23, 2024
    risk 0.00cvss epss 0.00

    Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the…

  • CVE-2023-44401Jan 23, 2024
    risk 0.00cvss epss 0.00

    The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is…

  • CVE-2023-40180Oct 16, 2023
    risk 0.00cvss epss 0.01

    silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed…

  • CVE-2023-22729Apr 26, 2023
    risk 0.00cvss epss 0.00

    Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a…

  • CVE-2023-22728Apr 26, 2023
    risk 0.00cvss epss 0.00

    Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they…

  • CVE-2023-28104Mar 16, 2023
    risk 0.00cvss epss 0.01

    `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly…

  • CVE-2022-38147Nov 23, 2022
    risk 0.00cvss epss 0.01

    Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3).

  • CVE-2022-37429Nov 23, 2022
    risk 0.00cvss epss 0.00

    Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters.