CVE-2019-14273
https://notcve.org/view.php?id=CVE-2019-14273
In SilverStripe assets 4.0, there is broken access control on files. En SilverStripe assets versión 4.0, se presenta un control de acceso violado en los archivos. • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/blog/tag/release https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-14273 • CWE-552: Files or Directories Accessible to External Parties •
CVE-2019-12205
https://notcve.org/view.php?id=CVE-2019-12205
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. SilverStripe versiones hasta 4.3.3, presenta una vulnerabilidad de tipo XSS Reflejada de Flash Clipboard. • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-12205 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12203
https://notcve.org/view.php?id=CVE-2019-12203
SilverStripe through 4.3.3 allows session fixation in the "change password" form. SilverStripe versiones hasta 4.3.3, permite la fijación de la sesión en el formulario "change password". • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-12203 • CWE-384: Session Fixation •
CVE-2019-12245
https://notcve.org/view.php?id=CVE-2019-12245
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. SilverStripe versiones hasta 4.3.3, presenta un control de acceso incorrecto para los archivos protegidos cargados por medio de la función Upload::loadIntoFile(). Un atacante puede ser capaz de adivinar un nombre de archivo en silverstripe/assets por medio del AssetControlExtension. • https://forum.silverstripe.org/c/releases https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/CVE-2019-12245 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2019-5715
https://notcve.org/view.php?id=CVE-2019-5715
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject. SilverStripe 3 todas las versiones anteriores a 3.6.7 y 3.7.3, y SilverStripe 4 todas las versiones anteriores a 4.0.7, 4.1.5, 4.2.4 y 4.3.1 permiten la inyección SQL reflejada por medio de los componentes Form y DataObject. • https://www.silverstripe.org/download/security-releases https://www.silverstripe.org/download/security-releases/ss-2018-021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •