CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38148
https://notcve.org/view.php?id=CVE-2022-38148
21 Nov 2022 — Silverstripe silverstripe/framework through 4.11 allows SQL Injection. Silverstripe silverstripe/framework hasta 4.11 permite la inyección SQL. • https://forum.silverstripe.org/c/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 0CVE-2022-28803
https://notcve.org/view.php?id=CVE-2022-28803
29 Jun 2022 — In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). En SilverStripe Framework versiones hasta 07-04-2022, un ataque de tipo XSS almacenado puede ocurrir en etiquetas de enlace javascript añadidas por medio de XMLHttpRequest (XHR) • https://silverstripe.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25238
https://notcve.org/view.php?id=CVE-2022-25238
28 Jun 2022 — Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. Silverstripe silverstripe/framework versiones hasta 4.10.0, permite un ataque de tipo XSS, dentro de las etiquetas de script que pueden ser añadidas al contenido del sitio web por medio de XHR por un usuario autenticado del CMS si el módu... • https://docs.silverstripe.org/en/4/changelogs/4.10.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29858
https://notcve.org/view.php?id=CVE-2022-29858
28 Jun 2022 — Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. Silverstripe silverstripe/assets hasta la versión 1.10 es vulnerable a un control de acceso inadecuado que permite publicar imágenes protegidas cambiando un código corto de imagen existente en el contenido del sitio web • https://forum.silverstripe.org/c/releases • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24444
https://notcve.org/view.php?id=CVE-2022-24444
28 Jun 2022 — Silverstripe silverstripe/framework through 4.10 allows Session Fixation. Silverstripe silverstripe/framework versiones hasta 4.10, permite una Fijación de Sesión • https://docs.silverstripe.org/en/4/changelogs/4.10.1 • CWE-384: Session Fixation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41559
https://notcve.org/view.php?id=CVE-2021-41559
28 Jun 2022 — Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. Silverstripe silverstripe/framework 4.8.1, presenta una explosión cuadrática en la función Convert::xml2array() que permite un ataque remoto por medio de un documento XML diseñado • https://github.com/silverstripe/silverstripe-framework/releases • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29254 – Failed payment recorded has completed in silverstripe/silverstripe-omnipay
https://notcve.org/view.php?id=CVE-2022-29254
06 Jun 2022 — silverstripe-omnipay is a SilverStripe integration with Omnipay PHP payments library. For a subset of Omnipay gateways (those that use intermediary states like `isNotification()` or `isRedirect()`), if the payment identifier or success URL is exposed it is possible for payments to be prematurely marked as completed without payment being taken. This is mitigated by the fact that most payment gateways hide this information from users, however some issuing banks offer flawed 3DSecure implementations that may i... • https://github.com/silverstripe/silverstripe-omnipay/commit/7dee9a1e0a5f54c2dc06e018cff3d9a19044e01b • CWE-436: Interpretation Conflict •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28661
https://notcve.org/view.php?id=CVE-2021-28661
07 Oct 2021 — Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. El comprobador de permisos predeterminado de SilverStripe GraphQL Server (también se conoce como silverstripe/graphql) versiones 3.x hasta 3.4.1, no es heredado por la subclase query • https://github.com/silverstripe/silverstripe-graphql/releases • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36150
https://notcve.org/view.php?id=CVE-2021-36150
07 Oct 2021 — SilverStripe Framework through 4.8.1 allows XSS. SilverStripe Framework versiones hasta 4.8.1, permite un ataque de tipo XSS • https://github.com/silverstripe/silverstripe-framework/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-26136
https://notcve.org/view.php?id=CVE-2020-26136
08 Jun 2021 — In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication. En SilverStripe versiones hasta 4.6.0-rc1, GraphQL no respecta MFA (multi-factor authentication) cuando se usa la autenticación básica • https://forum.silverstripe.org/c/releases • CWE-287: Improper Authentication •