silverstripe/framework Security Advisories for 3.4.0 (25)
-
[MEDIUM] CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload
PKSA-jndv-7cgy-xwm3 CVE-2024-32981 GHSA-chx7-9x8h-r5mg
Affected version: <5.2.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
SS-2024-001 - TinyMCE allows svg files linked in object tags
Affected version: <5.2.16
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-48714 Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
PKSA-vcdc-4796-kn58 CVE-2023-48714 GHSA-qm2j-qvq3-j29v
Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.13.39|>=5.0.0,<5.1.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] CVE-2023-32302 - Members with no password can be created and bypass custom login forms
PKSA-2t2m-vnwy-55q7 CVE-2023-32302 GHSA-36xx-7vf6-7mv3
Affected version: >=3.0.0,<4.13.14|>=5.0.0,<5.0.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SilverStripe CSV Excel Macro Injection
PKSA-4npp-z2k1-kdtx CVE-2017-18049 GHSA-2jvj-mhf2-g99w
Affected version: >=4.0.0,<4.0.1|>=3.6.0,<3.6.3|<3.5.6
Reported by:
GitHub -
[MEDIUM] Business Logic Errors in SilverStripe Framework
PKSA-7j38-hj68-r82v CVE-2022-0227 GHSA-32m2-9f76-4gv8
Affected version: <4.10.1
Reported by:
GitHub -
[MEDIUM] CVE-2020-26138 FormField: with square brackets in field name skips validation
PKSA-pq7g-1pwh-dw3n CVE-2020-26138 GHSA-7mv4-4xpg-xq44
Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.7.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2020-9311: Malicious user profile information can cause login form XSS
PKSA-34vk-6svm-bpgy CVE-2020-9311 GHSA-2pw2-qpcp-m47x
Affected version: >=3.0.0,<3.7.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder
PKSA-75gp-x5bj-hcwc CVE-2019-19326 GHSA-q9ff-3q93-fm8m
Affected version: >=4.0.0,<4.4.7|>=4.5.0,<4.5.4|>=3.0.0,<3.7.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Lack of access control on upoaded files
PKSA-5yvt-vswv-zn54 CVE-2019-12245 GHSA-jvx5-rm6q-gx7p
Affected version: >=4.4.0,<4.4.4|>=4.0.0,<4.3.6|>=3.7.0,<3.7.4|<3.6.8
Reported by:
GitHub -
[MEDIUM] CVE-2019-12205: Clipboard Reflected XSS
PKSA-89c6-sr3z-fq77 CVE-2019-12205 GHSA-rfvw-5848-gxc5
Affected version: >=3.0.0,<3.9.99|>=4.3.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-5715: Reflected SQL Injection through Form and DataObject
PKSA-sn55-3v1d-5xkw CVE-2019-5715 GHSA-wvfw-w3x6-g526
Affected version: >=3.0.0,<3.6.7|>=3.7.0,<3.7.3|>=4.0.0,<4.0.7|>=4.1.0,<4.1.5|>=4.2.0,<4.2.4|>=4.3.0,<4.3.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2017-003: XSS in RedirectorPage
PKSA-c5xx-ym8s-c3ty GHSA-vgxh-x8jv-hmff
Affected version: >=3.4.0,<3.4.6|>=3.5.0,<3.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2017-004: XSS in page history comparison
PKSA-qt6n-rv4n-mdrh GHSA-cwgq-83w5-8jfq
Affected version: >=3.4.0,<3.4.6|>=3.5.0,<3.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-002: Member disclosure in login form
PKSA-7nk4-stp5-bg39 GHSA-p5h2-vr99-xm99
Affected version: >=3.4.0,<3.4.6|>=3.5.0,<3.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-001: XSS In page name
PKSA-rnbc-t8d7-m7fs GHSA-55qg-6c4m-mw6g
Affected version: >=3.4.0,<3.4.4|>=3.5.0,<3.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-010: ReadOnly transformation for formfields exploitable
PKSA-j8mg-1yjt-xbcg GHSA-xpff-c35g-j3cr
Affected version: >=3.1.0,<3.1.21|>=3.2.0,<3.2.6|>=3.3.0,<3.3.4|>=3.4.0,<3.4.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-016: XSS In CMSSecurity BackURL
PKSA-k5zs-4c34-gd54 GHSA-hhvj-mcrx-3vcf
Affected version: >=3.1.0,<3.1.21|>=3.2.0,<3.2.6|>=3.3.0,<3.3.4|>=3.4.0,<3.4.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-007: VersionedRequestFilter vulnerability
PKSA-mjbz-d7yg-jtdy GHSA-mpqj-f4v3-334h
Affected version: >=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2016-008: Password encryption salt expiry
PKSA-t56m-1ns1-fswz GHSA-f3wp-xpv2-6vmg
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-012: Missing ACL on reports
PKSA-hk5w-y52r-kkfj GHSA-5f5v-5c3v-gw5v
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-013: Member.Name is not escaped
PKSA-fk63-8cvc-d8nr GHSA-jqp8-v74p-g8px
Affected version: >=3.1.9,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-015: XSS In OptionsetField and CheckboxSetField
PKSA-379h-891s-2kgm GHSA-hq4p-5mpr-jj9m
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled
PKSA-k578-1frj-r2p3 GHSA-mqf5-275h-gf6r
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2016-011: ChangePasswordForm does not check Member::canLogIn()
PKSA-fcfc-m8v4-1fmz GHSA-vcg6-8fxc-x5cq
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories