Shodan
Vulnerabilities
Vulnerable Software
Silverstripe:  >> Silverstripe  >> 3.0.14  Security Vulnerabilities
CVE-2019-12437
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
CVSS Score
8.8
EPSS Score
0.002
Published
2020-02-19
CVE-2019-12246
SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-02-19
CVE-2019-16409
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)
CVSS Score
5.3
EPSS Score
0.003
Published
2019-09-26
CVE-2019-12617
In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
CVSS Score
2.7
EPSS Score
0.003
Published
2019-09-26
CVE-2019-14272
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
CVSS Score
5.4
EPSS Score
0.004
Published
2019-09-26
CVE-2019-14273
In SilverStripe assets 4.0, there is broken access control on files.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-09-26
CVE-2019-12203
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
CVSS Score
6.3
EPSS Score
0.001
Published
2019-09-25
CVE-2019-12205
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-09-25
CVE-2019-12245
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-09-25
CVE-2019-5715
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-04-11


Products
Pricing
Contact Us

Shodan ® - All rights reserved