CVSS: 5.0EPSS: 0%CPEs: 20EXPL: 2CVE-2010-5087
https://notcve.org/view.php?id=CVE-2010-5087
SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators via vectors related to "form action requests" using a controller. SilverStripe v2.3.x anterior a v2.3.10 y v2.4.x anterior a v2.4.4 permite a atacantes remotos saltarse el mecanismo de protección contra solicitudes falsificadas en sitios cruzados (CSRF) y secuestrar la autenticación de los administradores a través de vectores relacionados con el formulario de solicitud de acción (form action request) usando un controlador. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/changeset/115182 http://open.silverstripe.org/changeset/115185 http://secunia.com/advisories/42346 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/ • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 27EXPL: 0CVE-2010-5089
https://notcve.org/view.php?id=CVE-2010-5089
SilverStripe before 2.4.2 does not properly restrict access to pages in draft mode, which allows remote attackers to obtain sensitive information. SilverStripe anterior a v2.4.2 no restringe el acceso adecuadamente a las páginas en modo borrador, lo cual permite a atacantes remotos obtener información sensible. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.2 http://open.silverstripe.org/changeset/110757 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 27EXPL: 0CVE-2010-5090
https://notcve.org/view.php?id=CVE-2010-5090
SilverStripe before 2.4.2 allows remote authenticated users to change administrator passwords via vectors related to admin/security. SilverStripe anterior a v2.4.2 permite a usuarios remotos autenticados cambiar la contraseña de administrador a través de vectores relacionados con admin/security. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.2 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 0%CPEs: 14EXPL: 1CVE-2010-5091
https://notcve.org/view.php?id=CVE-2010-5091
The setName function in filesystem/File.php in SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1 allows remote authenticated users with CMS author privileges to execute arbitrary PHP code by changing the extension of an uploaded file. La función setName en filesystem/File.php in SilverStripe v2.3.x anterior a v2.3.8 y v2.4.x anterior a v2.4.1 permite a usuarios remotos autenticados con privilegios de autor del CMS ejecutar código PHP arbitrario cambiando la extensión de un fichero subido. • http://dl.packetstormsecurity.net/1006-exploits/silverstripe-shell.txt http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.8 http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.1 http://open.silverstripe.org/changeset/107273 http://open.silverstripe.org/ticket/5693 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.0EPSS: 1%CPEs: 12EXPL: 1CVE-2010-5093
https://notcve.org/view.php?id=CVE-2010-5093
Member_ProfileForm in security/Member.php in SilverStripe 2.3.x before 2.3.7 allows remote attackers to hijack user accounts by saving data using the email address (ID) of another user. Member_ProfileForm en security/Member.php en SilverStripe v2.3.x anterior a v2.3.7 permite a atacantes remotos secuestrar cuentas de usuarios a través del guardado de datos usando la dirección de correo electrónico (ID) de otro usuario. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.7 http://open.silverstripe.org/changeset/100744 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.silverstripe.org/security-releases • CWE-264: Permissions, Privileges, and Access Controls •