Skip to main content

Silverstripe

29 CVEs product

Monthly

CVE-2022-37421 PHP MEDIUM PATCH This Month

Silverstripe silverstripe/cms through 4.11.0 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Silverstripe
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-28803 PHP MEDIUM PATCH This Month

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-24444 PHP MEDIUM PATCH This Month

Silverstripe silverstripe/framework through 4.10 allows Session Fixation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-28661 PHP MEDIUM POC PATCH This Month

Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Silverstripe
NVD GitHub
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-36150 PHP MEDIUM PATCH This Month

SilverStripe Framework through 4.8.1 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-9311 PHP MEDIUM PATCH This Month

In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-6165 PHP MEDIUM PATCH This Month

SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Silverstripe
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2020-6164 PHP HIGH PATCH This Week

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Silverstripe
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2020-9280 PHP HIGH PATCH This Week

In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Silverstripe
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2019-16409 PHP MEDIUM PATCH This Month

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Silverstripe Versionedfiles
NVD GitHub
CVSS 3.1
5.3
EPSS
1.2%
CVE-2019-14273 PHP MEDIUM PATCH This Month

In SilverStripe assets 4.0, there is broken access control on files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Silverstripe
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2019-14272 PHP MEDIUM PATCH This Month

In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-12617 PHP LOW PATCH Monitor

In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Silverstripe
NVD
CVSS 3.1
2.7
EPSS
0.9%
CVE-2019-12245 PHP MEDIUM PATCH This Month

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Silverstripe
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2019-12205 PHP MEDIUM PATCH This Month

SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2019-12204 PHP CRITICAL PATCH Act Now

In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure Silverstripe
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-12203 PHP MEDIUM PATCH This Month

SilverStripe through 4.3.3 allows session fixation in the "change password" form. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2019-5715 PHP CRITICAL PATCH Act Now

All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Silverstripe
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2017-12849 PHP MEDIUM PATCH This Month

Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Silverstripe
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2017-14498 PHP MEDIUM POC PATCH This Month

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Silverstripe
NVD GitHub
CVSS 3.0
6.1
EPSS
0.4%
CVE-2017-5197 PHP MEDIUM PATCH This Month

There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Silverstripe
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2015-8606 PHP MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Silverstripe
NVD
CVSS 3.0
6.1
EPSS
0.4%
CVE-2015-5063 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Silverstripe
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-5062 PHP MEDIUM POC This Month

Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Open Redirect Silverstripe
NVD
CVSS 2.0
5.8
EPSS
0.3%
CVE-2013-6789 MEDIUM POC PATCH This Month

security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Information Disclosure Silverstripe
NVD GitHub
CVSS 2.0
5.0
EPSS
0.3%
CVE-2013-2653 MEDIUM POC PATCH This Month

security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

PHP Information Disclosure Silverstripe
NVD GitHub Exploit-DB
CVSS 2.0
5.8
EPSS
5.7%
CVE-2012-6458 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP XSS Silverstripe
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2012-4968 PHP MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS Silverstripe
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-0976 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in admin/EditForm in SilverStripe 2.4.6 allows remote authenticated users with Content Authors privileges to inject arbitrary web script or HTML via the Title. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Silverstripe
NVD GitHub
CVSS 2.0
2.1
EPSS
0.4%
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Silverstripe silverstripe/cms through 4.11.0 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Silverstripe
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Silverstripe silverstripe/framework through 4.10 allows Session Fixation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Silverstripe
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

SilverStripe Framework through 4.8.1 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Silverstripe
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Silverstripe
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Silverstripe
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Silverstripe Versionedfiles
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

In SilverStripe assets 4.0, there is broken access control on files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Silverstripe
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
EPSS 1% CVSS 2.7
LOW PATCH Monitor

In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Silverstripe
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Silverstripe
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Silverstripe
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure Silverstripe
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

SilverStripe through 4.3.3 allows session fixation in the "change password" form. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Silverstripe
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Silverstripe
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Silverstripe
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Silverstripe
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Silverstripe
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Silverstripe
NVD
EPSS 0% CVSS 5.8
MEDIUM POC This Month

Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Open Redirect Silverstripe
NVD
EPSS 0% CVSS 5.0
MEDIUM POC PATCH This Month

security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Information Disclosure Silverstripe
NVD GitHub
EPSS 6% CVSS 5.8
MEDIUM POC PATCH This Month

security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

PHP Information Disclosure Silverstripe
NVD GitHub Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP XSS Silverstripe
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS Silverstripe
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in admin/EditForm in SilverStripe 2.4.6 allows remote authenticated users with Content Authors privileges to inject arbitrary web script or HTML via the Title. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Silverstripe
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy