Vulnerabilities > Silverstripe

DATE CVE VULNERABILITY TITLE RISK
2012-09-17 CVE-2011-4960 SQL Injection vulnerability in Silverstripe
SQL injection vulnerability in the Folder::findOrMake method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
silverstripe CWE-89
7.5
2012-09-17 CVE-2011-4959 SQL Injection vulnerability in Silverstripe
SQL injection vulnerability in the addslashes method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6, when connected to a MySQL database using far east character encodings, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
6.8
2012-09-17 CVE-2010-5079 Cryptographic Issues vulnerability in Silverstripe
SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism, (2) autologin, (3) "forgot password" functionality, and (4) password salts, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors.
network
low complexity
silverstripe CWE-310
5.0
2012-09-17 CVE-2010-5078 Permissions, Privileges, and Access Controls vulnerability in Silverstripe
SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version.
network
low complexity
silverstripe CWE-264
5.0
2012-09-17 CVE-2010-4824 SQL Injection vulnerability in Silverstripe
SQL injection vulnerability in the augmentSQL method in core/model/Translatable.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when the Translatable extension is enabled, allows remote attackers to execute arbitrary SQL commands via the locale parameter.
6.8
2012-09-17 CVE-2010-4823 Cross-Site Scripting vulnerability in Silverstripe
Cross-site scripting (XSS) vulnerability in the httpError method in sapphire/core/control/RequestHandler.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when custom error handling is not used, allows remote attackers to inject arbitrary web script or HTML via "missing URL actions."
4.3
2012-09-17 CVE-2010-4822 Information Exposure vulnerability in Silverstripe
core/model/MySQLDatabase.php in SilverStripe 2.4.x before 2.4.4, when the site is running in "live mode," allows remote attackers to obtain the SQL queries for a page via the showqueries and ajax parameters.
4.3
2012-08-26 CVE-2010-5188 Information Exposure vulnerability in Silverstripe
SilverStripe 2.3.x before 2.3.6 allows remote attackers to obtain sensitive information via the (1) debug_memory parameter to core/control/Director.php or (2) debug_profile parameter to main.php.
network
low complexity
silverstripe CWE-200
5.0
2012-08-26 CVE-2010-5187 Information Exposure vulnerability in Silverstripe
SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1, when running on servers with certain configurations, allows remote attackers to obtain sensitive information via a direct request to PHP files in the (1) sapphire, (2) cms, or (3) mysite folders, which reveals the installation path in an error message.
4.3
2012-08-26 CVE-2010-5095 Cross-Site Scripting vulnerability in Silverstripe
Cross-site scripting (XSS) vulnerability in SilverStripe 2.3.x before 2.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to DataObjectSet pagination.
4.3