Silverstripe: >> Silverstripe >> 4.1.1 Security Vulnerabilities
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
CVSS Score
8.8
EPSS Score
0.002
Published
2020-02-19
SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-02-19
In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
CVSS Score
2.7
EPSS Score
0.003
Published
2019-09-26
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
CVSS Score
6.3
EPSS Score
0.001
Published
2019-09-25
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-09-25
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-09-25
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-09-25
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-04-11
Page 2