CVSS: 4.8EPSS: 12%CPEs: 24EXPL: 5CVE-2011-4958 – SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4958
08 Apr 2014 — Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. Vulnerabilidad de XSS en la función de proceso en SSViewer.php en SilverStripe anterior a 2.3.13 y 2.4.x anterior a 2.4.6 ... • https://www.exploit-db.com/exploits/36226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2013-6789
https://notcve.org/view.php?id=CVE-2013-6789
13 Nov 2013 — security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history, a similar vulnerability to CVE-2013-2653. security/ MemberLoginForm.php en SilverStripe 3.0.3 apoya las credenciales en una solicitud GET, que permite a atacantes remotos o locales obtener información sensible mediante la lectura de los registros de log de acceso del... • http://seclists.org/bugtraq/2013/Aug/12 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 3%CPEs: 1EXPL: 3CVE-2013-2653 – SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2653
02 Aug 2013 — security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. security/MemberLoginForm.php en SilverStripe 3.0.3 ofrece soporte al inicio de sesión mediante el uso de una petición GET, lo que hace más sencillo para atacantes remotos llevar a cabo ataques de phishing sin detección por parte de la víctima. SilverStripe CMS version 3.0.3 suffers from an information exposure issue thr... • https://packetstorm.news/files/id/122650 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6458 – SilverStripe CMS Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-6458
15 Jul 2013 — Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. Múltiples vulnerabilidades de cross-site scripting (XSS) en el módulo SilverStripe e-commerce v3.0 para SilverStripe CMS, permite a atacantes remotos inyectar ... • http://archives.neohapsis.com/archives/bugtraq/2013-07/0090.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2010-4822
https://notcve.org/view.php?id=CVE-2010-4822
17 Sep 2012 — core/model/MySQLDatabase.php in SilverStripe 2.4.x before 2.4.4, when the site is running in "live mode," allows remote attackers to obtain the SQL queries for a page via the showqueries and ajax parameters. core/model/MySQLDatabase.php en SilverStripe 2.4.x anterior a v2.4.4, cuando el sitio se ejecuta en "live mode", permite a atacantes remotos obtener los comandos SQL de una página a través de los parámetros showqueries y ajax. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 2CVE-2010-4823
https://notcve.org/view.php?id=CVE-2010-4823
17 Sep 2012 — Cross-site scripting (XSS) vulnerability in the httpError method in sapphire/core/control/RequestHandler.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when custom error handling is not used, allows remote attackers to inject arbitrary web script or HTML via "missing URL actions." Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el método httpError en spphire/core/control/RequestHandler.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando el co... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 14EXPL: 2CVE-2010-4824
https://notcve.org/view.php?id=CVE-2010-4824
17 Sep 2012 — SQL injection vulnerability in the augmentSQL method in core/model/Translatable.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when the Translatable extension is enabled, allows remote attackers to execute arbitrary SQL commands via the locale parameter. Una vulnerabilidad de inyección SQL en el método augmentSQL en el core/model/Translatable.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando la extensión 'Translatable' está activada, permite a atacantes remotos ej... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2010-5078
https://notcve.org/view.php?id=CVE-2010-5078
17 Sep 2012 — SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4 almacena información sensible bajo la raíz web con controles de acceso insuficientes, lo que permite a atacantes remotos obtener información de la versión a travé... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 1%CPEs: 14EXPL: 0CVE-2010-5079
https://notcve.org/view.php?id=CVE-2010-5079
17 Sep 2012 — SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism, (2) autologin, (3) "forgot password" functionality, and (4) password salts, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors. SilverStripe 2.3.x antes de 2.3.10 y 2.4.x antes de 2.4.4 utiliza una entropía débil para la generación de fichas para (1) el mecanismo de protección CSRF, (2) el inicio de sesión automático (a... • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 3CVE-2011-4959
https://notcve.org/view.php?id=CVE-2011-4959
17 Sep 2012 — SQL injection vulnerability in the addslashes method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6, when connected to a MySQL database using far east character encodings, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el método addslashes en SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6, cuando se conecta a una base de datos MySQL usando una codificación de caracteres del lejano oriente, permite a atacantes r... • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •