Filtered by vendor Silverstripe
Subscribe
Total
89 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-53277 | 1 Silverstripe | 1 Framework | 2025-09-04 | N/A | 5.4 MEDIUM |
| Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-30148 | 1 Silverstripe | 1 Framework | 2025-09-04 | N/A | 5.4 MEDIUM |
| Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23. | |||||
| CVE-2024-32981 | 1 Silverstripe | 1 Framework | 2025-09-04 | N/A | 5.4 MEDIUM |
| Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-29885 | 1 Silverstripe | 1 Reports | 2025-09-04 | N/A | 4.3 MEDIUM |
| silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-38148 | 1 Silverstripe | 1 Framework | 2025-04-30 | N/A | 8.8 HIGH |
| Silverstripe silverstripe/framework through 4.11 allows SQL Injection. | |||||
| CVE-2022-38146 | 1 Silverstripe | 1 Framework | 2025-04-30 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3). | |||||
| CVE-2022-38724 | 1 Silverstripe | 3 Asset Admin, Assets, Framework | 2025-04-29 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS. | |||||
| CVE-2022-38462 | 1 Silverstripe | 1 Framework | 2025-04-29 | N/A | 6.1 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request. | |||||
| CVE-2022-38147 | 1 Silverstripe | 1 Framework | 2025-04-25 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3). | |||||
| CVE-2022-38145 | 1 Silverstripe | 1 Framework | 2025-04-25 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 3) via remote attackers adding a Javascript payload to a page's meta description and get it executed in the versioned history compare view. | |||||
| CVE-2022-37430 | 1 Silverstripe | 1 Framework | 2025-04-25 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2). | |||||
| CVE-2022-37429 | 1 Silverstripe | 1 Framework | 2025-04-25 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters. | |||||
| CVE-2022-37421 | 1 Silverstripe | 1 Silverstripe | 2025-04-25 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/cms through 4.11.0 allows XSS. | |||||
| CVE-2017-5197 | 1 Silverstripe | 1 Silverstripe | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element. | |||||
| CVE-2017-12849 | 1 Silverstripe | 1 Silverstripe | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks. | |||||
| CVE-2017-14498 | 1 Silverstripe | 1 Silverstripe | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017. | |||||
| CVE-2022-42949 | 1 Silverstripe | 1 Subsites | 2025-04-17 | N/A | 7.5 HIGH |
| Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | |||||
| CVE-2015-5062 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build. | |||||
| CVE-2011-4958 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. | |||||
| CVE-2015-5063 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter to install.php. | |||||