Vulnerabilities > Silverstripe > Silverstripe > 2.3.5
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-29 | CVE-2022-28803 | Cross-site Scripting vulnerability in Silverstripe In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). | 5.4 |
2022-06-28 | CVE-2021-41559 | XML Entity Expansion vulnerability in Silverstripe Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | 6.5 |
2022-06-28 | CVE-2022-24444 | Session Fixation vulnerability in Silverstripe Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | 6.5 |
2021-10-07 | CVE-2021-36150 | Cross-site Scripting vulnerability in Silverstripe SilverStripe Framework through 4.8.1 allows XSS. | 6.1 |
2021-06-08 | CVE-2020-26136 | Improper Authentication vulnerability in Silverstripe In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication. | 6.5 |
2021-06-08 | CVE-2020-25817 | XXE vulnerability in Silverstripe SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. | 4.8 |
2021-06-08 | CVE-2020-26138 | Improper Input Validation vulnerability in Silverstripe In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation. | 5.3 |
2020-07-15 | CVE-2020-6164 | Unspecified vulnerability in Silverstripe In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. | 7.5 |
2020-02-19 | CVE-2019-12437 | Cross-Site Request Forgery (CSRF) vulnerability in Silverstripe In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations, | 8.8 |
2020-02-19 | CVE-2019-12246 | Cross-Site Request Forgery (CSRF) vulnerability in Silverstripe SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools. | 4.3 |