Page 4 of 35 results (0.026 seconds)

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. SilverStripe versiones hasta 4.4.x anteriores a 4.4.5 y versiones 4.5.x anteriores a 4.5.2, permite un ataque de tipo XSS Reflejado en el formulario de inicio de sesión y formularios personalizados. Silverstripe Forms permite insertar HTML o JavaScript malicioso por medio de atributos FormField no escalares, lo que permite llevar a cabo un ataque de tipo XSS (Cross-Site Scripting) en algunos formularios creados con la entrada del usuario (Request data). • https://www.silverstripe.org/download/security-releases/cve-2019-19325 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.) En el módulo Versioned Files versiones hasta 2.0.3 para SilverStripe versiones 3.x, las versiones no publicadas de archivos se exponen públicamente a cualquiera que pueda adivinar su URL. • https://github.com/silverstripe/silverstripe-framework https://github.com/symbiote/silverstripe-versionedfiles https://www.silverstripe.org/download/security-releases/cve-2019-16409 •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. En SilverStripe versiones hasta 4.3.3, se presenta una escalada de acceso para usuarios de CMS con acceso limitado mediante la contaminación de la caché de permisos. • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/blog/tag/release https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-12617 •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. En SilverStripe asset-admin versión 4.0, se presenta una vulnerabilidad de tipo XSS en los títulos de archivos administrados mediante el CMS. • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/blog/tag/release https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-14272 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

In SilverStripe assets 4.0, there is broken access control on files. En SilverStripe assets versión 4.0, se presenta un control de acceso violado en los archivos. • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/blog/tag/release https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-14273 • CWE-552: Files or Directories Accessible to External Parties •