Security Advisories - silverstripe/framework

silverstripe/framework Security Advisories for 3.6.7 (12)

[MEDIUM] CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload

PKSA-jndv-7cgy-xwm3 CVE-2024-32981 GHSA-chx7-9x8h-r5mg

Affected version: <5.2.16

Reported by:
GitHub, FriendsOfPHP/security-advisories
SS-2024-001 - TinyMCE allows svg files linked in object tags

PKSA-8tf6-2hv5-c6tq

Affected version: <5.2.16

Reported by:
FriendsOfPHP/security-advisories
[MEDIUM] CVE-2023-48714 Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

PKSA-vcdc-4796-kn58 CVE-2023-48714 GHSA-qm2j-qvq3-j29v

Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.13.39|>=5.0.0,<5.1.11

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] CVE-2023-32302 - Members with no password can be created and bypass custom login forms

PKSA-2t2m-vnwy-55q7 CVE-2023-32302 GHSA-36xx-7vf6-7mv3

Affected version: >=3.0.0,<4.13.14|>=5.0.0,<5.0.13

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Business Logic Errors in SilverStripe Framework

PKSA-7j38-hj68-r82v CVE-2022-0227 GHSA-32m2-9f76-4gv8

Affected version: <4.10.1

Reported by:
GitHub
[MEDIUM] CVE-2020-26138 FormField: with square brackets in field name skips validation

PKSA-pq7g-1pwh-dw3n CVE-2020-26138 GHSA-7mv4-4xpg-xq44

Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.7.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] CVE-2020-9311: Malicious user profile information can cause login form XSS

PKSA-34vk-6svm-bpgy CVE-2020-9311 GHSA-2pw2-qpcp-m47x

Affected version: >=3.0.0,<3.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder

PKSA-75gp-x5bj-hcwc CVE-2019-19326 GHSA-q9ff-3q93-fm8m

Affected version: >=4.0.0,<4.4.7|>=4.5.0,<4.5.4|>=3.0.0,<3.7.5

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] Lack of access control on upoaded files

PKSA-5yvt-vswv-zn54 CVE-2019-12245 GHSA-jvx5-rm6q-gx7p

Affected version: >=4.4.0,<4.4.4|>=4.0.0,<4.3.6|>=3.7.0,<3.7.4|<3.6.8

Reported by:
GitHub
[MEDIUM] CVE-2019-12205: Clipboard Reflected XSS

PKSA-89c6-sr3z-fq77 CVE-2019-12205 GHSA-rfvw-5848-gxc5

Affected version: >=3.0.0,<3.9.99|>=4.3.0,<4.3.5|>=4.4.0,<4.4.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] CVE-2019-12203: Session fixation in "change password" form

PKSA-wh2k-pccc-jn5p CVE-2019-12203 GHSA-w7r7-r8r9-vrg2

Affected version: >=3.6.0,<3.6.8|>=3.7.0,<3.7.4|>=4.0.0,<4.3.5|>=4.4.0,<4.4.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] SS-2018-013: Passwords sent back to browsers under some circumstances

PKSA-th4m-g9z7-6q8r GHSA-vp8p-c6xj-xpj7

Affected version: >=3.5.5,<3.7.0|>=4.0.3,<4.0.4|>=4.1.0,<4.1.1

Reported by:
GitHub, FriendsOfPHP/security-advisories

silverstripe/framework Security Advisories for 3.6.7 (12)

[MEDIUM] CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload

SS-2024-001 - TinyMCE allows svg files linked in object tags

[MEDIUM] CVE-2023-48714 Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

[LOW] CVE-2023-32302 - Members with no password can be created and bypass custom login forms

[MEDIUM] Business Logic Errors in SilverStripe Framework

[MEDIUM] CVE-2020-26138 FormField: with square brackets in field name skips validation

[MEDIUM] CVE-2020-9311: Malicious user profile information can cause login form XSS

[MEDIUM] CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder

[MEDIUM] Lack of access control on upoaded files

[MEDIUM] CVE-2019-12205: Clipboard Reflected XSS

[MEDIUM] CVE-2019-12203: Session fixation in "change password" form

[MEDIUM] SS-2018-013: Passwords sent back to browsers under some circumstances