CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-8606
https://notcve.org/view.php?id=CVE-2015-8606
13 Apr 2016 — Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework en versiones anteriores a 3.1.16 y 3.2.x en versiones anteriores a 3.2.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a... • http://seclists.org/fulldisclosure/2015/Dec/55 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 12%CPEs: 24EXPL: 5CVE-2011-4958 – SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4958
08 Apr 2014 — Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. Vulnerabilidad de XSS en la función de proceso en SSViewer.php en SilverStripe anterior a 2.3.13 y 2.4.x anterior a 2.4.6 ... • https://www.exploit-db.com/exploits/36226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 2CVE-2010-4823
https://notcve.org/view.php?id=CVE-2010-4823
17 Sep 2012 — Cross-site scripting (XSS) vulnerability in the httpError method in sapphire/core/control/RequestHandler.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when custom error handling is not used, allows remote attackers to inject arbitrary web script or HTML via "missing URL actions." Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el método httpError en spphire/core/control/RequestHandler.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando el co... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 14EXPL: 2CVE-2010-4824
https://notcve.org/view.php?id=CVE-2010-4824
17 Sep 2012 — SQL injection vulnerability in the augmentSQL method in core/model/Translatable.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when the Translatable extension is enabled, allows remote attackers to execute arbitrary SQL commands via the locale parameter. Una vulnerabilidad de inyección SQL en el método augmentSQL en el core/model/Translatable.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando la extensión 'Translatable' está activada, permite a atacantes remotos ej... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2010-5078
https://notcve.org/view.php?id=CVE-2010-5078
17 Sep 2012 — SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4 almacena información sensible bajo la raíz web con controles de acceso insuficientes, lo que permite a atacantes remotos obtener información de la versión a travé... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 1%CPEs: 14EXPL: 0CVE-2010-5079
https://notcve.org/view.php?id=CVE-2010-5079
17 Sep 2012 — SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism, (2) autologin, (3) "forgot password" functionality, and (4) password salts, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors. SilverStripe 2.3.x antes de 2.3.10 y 2.4.x antes de 2.4.4 utiliza una entropía débil para la generación de fichas para (1) el mecanismo de protección CSRF, (2) el inicio de sesión automático (a... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 3CVE-2011-4959
https://notcve.org/view.php?id=CVE-2011-4959
17 Sep 2012 — SQL injection vulnerability in the addslashes method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6, when connected to a MySQL database using far east character encodings, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el método addslashes en SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6, cuando se conecta a una base de datos MySQL usando una codificación de caracteres del lejano oriente, permite a atacantes r... • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 17EXPL: 1CVE-2011-4960
https://notcve.org/view.php?id=CVE-2011-4960
17 Sep 2012 — SQL injection vulnerability in the Folder::findOrMake method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en el método Folder::findOrMake en SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6 permite a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2011-4961
https://notcve.org/view.php?id=CVE-2011-4961
17 Sep 2012 — SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote authenticated users with the EDIT_PERMISSIONS permission to gain administrator privileges via a TreeMultiselectField that includes admin groups when adding a user to the selected groups. SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6 permite obtener permisos de administrador a usuarios remotos autenticados con el permiso 'EDIT_PERMISSIONS' a través de un 'TreeMultiselectField' que incluye grupos de administradores al agrega... • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 1CVE-2012-4968
https://notcve.org/view.php?id=CVE-2012-4968
17 Sep 2012 — Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) LimitWordCount, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NoHTML, (15) Summary, (16) Upper, (17) UpperCase, or (18) URL method i... • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •