Filtered by vendor Silverstripe
Subscriptions
Total
85 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2013-6789 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history, a similar vulnerability to CVE-2013-2653. | ||||
| CVE-2010-1593 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (2) the Search parameter to forums/search (aka the search script). | ||||
| CVE-2010-4822 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| core/model/MySQLDatabase.php in SilverStripe 2.4.x before 2.4.4, when the site is running in "live mode," allows remote attackers to obtain the SQL queries for a page via the showqueries and ajax parameters. | ||||
| CVE-2010-5078 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. | ||||
| CVE-2010-5087 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators via vectors related to "form action requests" using a controller. | ||||
| CVE-2011-4960 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SQL injection vulnerability in the Folder::findOrMake method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||||
| CVE-2011-4961 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote authenticated users with the EDIT_PERMISSIONS permission to gain administrator privileges via a TreeMultiselectField that includes admin groups when adding a user to the selected groups. | ||||
| CVE-2012-6458 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. | ||||
| CVE-2008-6753 | 1 Silverstripe | 1 Silverstripe | 2025-04-09 | N/A |
| SQL injection vulnerability in SilverStripe before 2.2.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to AjaxUniqueTextField. | ||||
| CVE-2007-2321 | 1 Silverstripe | 1 Silverstripe | 2025-04-09 | N/A |
| Unspecified vulnerability in the search functionality in SilverStripe 2.0.0 has unknown impact and attack vectors. | ||||
| CVE-2009-1433 | 1 Silverstripe | 1 Silverstripe | 2025-04-09 | N/A |
| SQL injection vulnerability in File::find (filesystem/File.php) in SilverStripe before 2.3.1 allows remote attackers to execute arbitrary SQL commands via the filename parameter. | ||||
| CVE-2023-28104 | 1 Silverstripe | 1 Graphql | 2025-02-25 | 7.5 High |
| `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability. | ||||
| CVE-2023-22728 | 1 Silverstripe | 1 Framework | 2025-01-31 | 4.3 Medium |
| Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. | ||||
| CVE-2023-22729 | 1 Silverstripe | 1 Framework | 2025-01-31 | 5.4 Medium |
| Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. | ||||
| CVE-2023-40180 | 1 Silverstripe | 1 Graphql | 2024-11-21 | 7.5 High |
| silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-29858 | 1 Silverstripe | 1 Assets | 2024-11-21 | 4.3 Medium |
| Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. | ||||
| CVE-2022-28803 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 5.4 Medium |
| In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). | ||||
| CVE-2022-25238 | 1 Silverstripe | 1 Framework | 2024-11-21 | 5.4 Medium |
| Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. | ||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.5 Medium |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | ||||
| CVE-2021-41559 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.5 Medium |
| Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | ||||