ReportizFlow
Filtered by vendor Silverstripe
Subscriptions
Total
91 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-37421 | 1 Silverstripe | 1 Silverstripe | 2025-04-26 | 5.4 Medium |
| Silverstripe silverstripe/cms through 4.11.0 allows XSS. | ||||
| CVE-2022-29254 | 1 Silverstripe | 1 Silverstripe-omnipay | 2025-04-23 | 3.7 Low |
| silverstripe-omnipay is a SilverStripe integration with Omnipay PHP payments library. For a subset of Omnipay gateways (those that use intermediary states like `isNotification()` or `isRedirect()`), if the payment identifier or success URL is exposed it is possible for payments to be prematurely marked as completed without payment being taken. This is mitigated by the fact that most payment gateways hide this information from users, however some issuing banks offer flawed 3DSecure implementations that may inadvertently expose this data. The following versions have been patched to fix this issue: `2.5.2`, `3.0.2`, `3.1.4`, and `3.2.1`. There are no known workarounds for this vulnerability. | ||||
| CVE-2017-14498 | 1 Silverstripe | 1 Silverstripe | 2025-04-20 | N/A |
| SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017. | ||||
| CVE-2017-5197 | 1 Silverstripe | 1 Silverstripe | 2025-04-20 | N/A |
| There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element. | ||||
| CVE-2017-12849 | 1 Silverstripe | 1 Silverstripe | 2025-04-20 | N/A |
| Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks. | ||||
| CVE-2022-42949 | 1 Silverstripe | 1 Subsites | 2025-04-17 | 7.5 High |
| Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | ||||
| CVE-2011-4958 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. | ||||
| CVE-2015-8606 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. | ||||
| CVE-2015-5062 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | N/A |
| Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build. | ||||
| CVE-2015-5063 | 1 Silverstripe | 1 Silverstripe | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter to install.php. | ||||
| CVE-2010-5087 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators via vectors related to "form action requests" using a controller. | ||||
| CVE-2010-5187 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1, when running on servers with certain configurations, allows remote attackers to obtain sensitive information via a direct request to PHP files in the (1) sapphire, (2) cms, or (3) mysite folders, which reveals the installation path in an error message. | ||||
| CVE-2013-2653 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. | ||||
| CVE-2010-5080 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| The Security/changepassword URL action in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 passes a token as a GET parameter while changing a password through email, which allows remote attackers to obtain sensitive data and hijack the session via the HTTP referer logs on a server, aka "HTTP referer leakage." | ||||
| CVE-2010-5090 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe before 2.4.2 allows remote authenticated users to change administrator passwords via vectors related to admin/security. | ||||
| CVE-2010-5188 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe 2.3.x before 2.3.6 allows remote attackers to obtain sensitive information via the (1) debug_memory parameter to core/control/Director.php or (2) debug_profile parameter to main.php. | ||||
| CVE-2010-5095 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in SilverStripe 2.3.x before 2.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to DataObjectSet pagination. | ||||
| CVE-2010-5091 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| The setName function in filesystem/File.php in SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1 allows remote authenticated users with CMS author privileges to execute arbitrary PHP code by changing the extension of an uploaded file. | ||||
| CVE-2010-5094 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| The deleteinstallfiles function in control/ContentController.php in SilverStripe 2.3.x before 2.3.7 does not require ADMIN permissions, which allows remote attackers to delete index.php and "disrupt mod_rewrite-less URL routing." | ||||
| CVE-2010-5089 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | N/A |
| SilverStripe before 2.4.2 does not properly restrict access to pages in draft mode, which allows remote attackers to obtain sensitive information. | ||||