
CVE-2015-8606
https://notcve.org/view.php?id=CVE-2015-8606
13 Apr 2016 — Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework en versiones anteriores a 3.1.16 y 3.2.x en versiones anteriores a 3.2.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a... • http://seclists.org/fulldisclosure/2015/Dec/55 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2011-4958 – SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4958
08 Apr 2014 — Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. Vulnerabilidad de XSS en la función de proceso en SSViewer.php en SilverStripe anterior a 2.3.13 y 2.4.x anterior a 2.4.6 ... • https://www.exploit-db.com/exploits/36226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2010-5089
https://notcve.org/view.php?id=CVE-2010-5089
26 Aug 2012 — SilverStripe before 2.4.2 does not properly restrict access to pages in draft mode, which allows remote attackers to obtain sensitive information. SilverStripe anterior a v2.4.2 no restringe el acceso adecuadamente a las páginas en modo borrador, lo cual permite a atacantes remotos obtener información sensible. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.2 • CWE-264: Permissions, Privileges, and Access Controls •

CVE-2010-5090
https://notcve.org/view.php?id=CVE-2010-5090
26 Aug 2012 — SilverStripe before 2.4.2 allows remote authenticated users to change administrator passwords via vectors related to admin/security. SilverStripe anterior a v2.4.2 permite a usuarios remotos autenticados cambiar la contraseña de administrador a través de vectores relacionados con admin/security. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.2 • CWE-264: Permissions, Privileges, and Access Controls •

CVE-2010-1593
https://notcve.org/view.php?id=CVE-2010-1593
28 Apr 2010 — Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (2) the Search parameter to forums/search (aka the search script). Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en SilverStripe anterior... • http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0450.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2008-6753
https://notcve.org/view.php?id=CVE-2008-6753
27 Apr 2009 — SQL injection vulnerability in SilverStripe before 2.2.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to AjaxUniqueTextField. Vulnerabilidad de inyección SQL en SilverStripe anterior a v2.2.2 permite a atacantes remotos ejecutar comandos SQL a su elección a través de vectores no especificados relacionados con AjaxUniqueTextField. • http://silverstripe.org/archive/show/43794 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2009-1433
https://notcve.org/view.php?id=CVE-2009-1433
24 Apr 2009 — SQL injection vulnerability in File::find (filesystem/File.php) in SilverStripe before 2.3.1 allows remote attackers to execute arbitrary SQL commands via the filename parameter. Vulnerabilidad de inyección SQL en File::find (filesystem/File.php) in SilverStripe antes de v2.3.1 permite a atacantes remotos ejecutar comandos SQL a través del parámetro de nombre de archivo. • http://open.silverstripe.com/ticket/3721 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •