Vulnerabilities > Silverstripe

DATE CVE VULNERABILITY TITLE RISK
2019-09-26 CVE-2019-16409 Information Exposure vulnerability in multiple products
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL.
network
low complexity
symbiote silverstripe CWE-200
5.0
2019-09-26 CVE-2019-14273 Files or Directories Accessible to External Parties vulnerability in Silverstripe
In SilverStripe assets 4.0, there is broken access control on files.
network
low complexity
silverstripe CWE-552
5.0
2019-09-26 CVE-2019-14272 Cross-site Scripting vulnerability in Silverstripe
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
3.5
2019-09-26 CVE-2019-12617 Unspecified vulnerability in Silverstripe
In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
network
low complexity
silverstripe
4.0
2019-09-25 CVE-2019-12245 Incorrect Permission Assignment for Critical Resource vulnerability in Silverstripe
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile().
network
low complexity
silverstripe CWE-732
5.0
2019-09-25 CVE-2019-12205 Cross-site Scripting vulnerability in Silverstripe
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
4.3
2019-09-25 CVE-2019-12204 Unspecified vulnerability in Silverstripe
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
network
low complexity
silverstripe
7.5
2019-09-25 CVE-2019-12203 Session Fixation vulnerability in Silverstripe
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
local
high complexity
silverstripe CWE-384
3.7
2019-06-11 CVE-2019-12149 SQL Injection vulnerability in Silverstripe Registry and Restfulserver
SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2.1 allows attackers to execute arbitrary SQL commands.
network
low complexity
silverstripe CWE-89
7.5
2019-04-11 CVE-2019-5715 SQL Injection vulnerability in Silverstripe
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
network
low complexity
silverstripe CWE-89
7.5