CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12245
https://notcve.org/view.php?id=CVE-2019-12245
25 Sep 2019 — SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. SilverStripe versiones hasta 4.3.3, presenta un control de acceso incorrecto para los archivos protegidos cargados por medio de la función Upload::loadIntoFile(). Un atacante puede ser capaz de adivinar un nombre de archivo en silverstripe/assets por medio del AssetControlExtension. • https://forum.silverstripe.org/c/releases • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-5715
https://notcve.org/view.php?id=CVE-2019-5715
11 Apr 2019 — All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject. SilverStripe 3 todas las versiones anteriores a 3.6.7 y 3.7.3, y SilverStripe 4 todas las versiones anteriores a 4.0.7, 4.1.5, 4.2.4 y 4.3.1 permiten la inyección SQL reflejada por medio de los componentes Form y DataObject. • https://www.silverstripe.org/download/security-releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2017-18049
https://notcve.org/view.php?id=CVE-2017-18049
23 Jan 2018 — In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page. En la característica de exportación CSV de SilverStripe, en versiones anteriores a la 3.5.6, versiones 3.6.x anteriores a la 3.6.3 y ... • https://www.exploit-db.com/exploits/43396 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12849
https://notcve.org/view.php?id=CVE-2017-12849
12 Oct 2017 — Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks. Discrepancia de respuestas en los formularios de reinicio de contraseña y login en SilverStripe CMS en versiones anteriores a la 3.5.5 y versiones 3.6.x anteriores a la 3.6.1 permite que atacantes remotos enumeren usuarios mediante ataques de sincronización. • https://www.silverstripe.org/download/security-releases/ss-2017-005 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-14498
https://notcve.org/view.php?id=CVE-2017-14498
15 Sep 2017 — SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en SilverStripe CMS en versiones anteriores a la 3.6.1 mediante un documento SVG que no es gestionado correctamente por (1) la opción Insert Media en el editor de... • http://lists.openwall.net/full-disclosure/2017/09/14/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-5197
https://notcve.org/view.php?id=CVE-2017-5197
06 Mar 2017 — There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element. Hay una XSS en SilverStripe CMS en versiones anteriores a 3.4.4 y 3.5.x en versiones anteriores a 3.5.2. El vector de ataque es un nombre de página. • http://www.securityfocus.com/bid/96572 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-8606
https://notcve.org/view.php?id=CVE-2015-8606
13 Apr 2016 — Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework en versiones anteriores a 3.1.16 y 3.2.x en versiones anteriores a 3.2.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a... • http://seclists.org/fulldisclosure/2015/Dec/55 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 12%CPEs: 24EXPL: 5CVE-2011-4958 – SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4958
08 Apr 2014 — Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. Vulnerabilidad de XSS en la función de proceso en SSViewer.php en SilverStripe anterior a 2.3.13 y 2.4.x anterior a 2.4.6 ... • https://www.exploit-db.com/exploits/36226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6458 – SilverStripe CMS Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-6458
15 Jul 2013 — Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. Múltiples vulnerabilidades de cross-site scripting (XSS) en el módulo SilverStripe e-commerce v3.0 para SilverStripe CMS, permite a atacantes remotos inyectar ... • http://archives.neohapsis.com/archives/bugtraq/2013-07/0090.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 2CVE-2010-4823
https://notcve.org/view.php?id=CVE-2010-4823
17 Sep 2012 — Cross-site scripting (XSS) vulnerability in the httpError method in sapphire/core/control/RequestHandler.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when custom error handling is not used, allows remote attackers to inject arbitrary web script or HTML via "missing URL actions." Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el método httpError en spphire/core/control/RequestHandler.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando el co... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •