Vulnerabilities > Silverstripe > Silverstripe > 3.4.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-19 | CVE-2019-12437 | Cross-Site Request Forgery (CSRF) vulnerability in Silverstripe In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations, | 8.8 |
| 2020-02-19 | CVE-2019-12246 | Cross-Site Request Forgery (CSRF) vulnerability in Silverstripe SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools. | 4.3 |
| 2019-09-26 | CVE-2019-16409 | In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. | 5.3 |
| 2019-09-26 | CVE-2019-14273 | Files or Directories Accessible to External Parties vulnerability in Silverstripe In SilverStripe assets 4.0, there is broken access control on files. | 5.3 |
| 2019-09-26 | CVE-2019-14272 | Cross-site Scripting vulnerability in Silverstripe In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. | 5.4 |
| 2019-09-26 | CVE-2019-12617 | Unspecified vulnerability in Silverstripe In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. | 2.7 |
| 2019-09-25 | CVE-2019-12245 | Incorrect Permission Assignment for Critical Resource vulnerability in Silverstripe SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). | 5.3 |
| 2019-09-25 | CVE-2019-12205 | Cross-site Scripting vulnerability in Silverstripe SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. | 6.1 |
| 2019-09-25 | CVE-2019-12203 | Session Fixation vulnerability in Silverstripe SilverStripe through 4.3.3 allows session fixation in the "change password" form. | 6.3 |
| 2019-04-11 | CVE-2019-5715 | SQL Injection vulnerability in Silverstripe All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject. | 9.8 |