CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-19325
https://notcve.org/view.php?id=CVE-2019-19325
17 Feb 2020 — SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. SilverStripe versiones hasta 4.4.x anteriores a 4.4.5 y versiones 4.5.x anteriores... • https://www.silverstripe.org/download/security-releases/cve-2019-19325 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-16409
https://notcve.org/view.php?id=CVE-2019-16409
26 Sep 2019 — In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of thes... • https://github.com/silverstripe/silverstripe-framework •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12617
https://notcve.org/view.php?id=CVE-2019-12617
26 Sep 2019 — In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. En SilverStripe versiones hasta 4.3.3, se presenta una escalada de acceso para usuarios de CMS con acceso limitado mediante la contaminación de la caché de permisos. • https://forum.silverstripe.org/c/releases •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14272
https://notcve.org/view.php?id=CVE-2019-14272
26 Sep 2019 — In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. En SilverStripe asset-admin versión 4.0, se presenta una vulnerabilidad de tipo XSS en los títulos de archivos administrados mediante el CMS. • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14273
https://notcve.org/view.php?id=CVE-2019-14273
26 Sep 2019 — In SilverStripe assets 4.0, there is broken access control on files. En SilverStripe assets versión 4.0, se presenta un control de acceso violado en los archivos. • https://forum.silverstripe.org/c/releases • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12205
https://notcve.org/view.php?id=CVE-2019-12205
25 Sep 2019 — SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. SilverStripe versiones hasta 4.3.3, presenta una vulnerabilidad de tipo XSS Reflejada de Flash Clipboard. • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12203
https://notcve.org/view.php?id=CVE-2019-12203
25 Sep 2019 — SilverStripe through 4.3.3 allows session fixation in the "change password" form. SilverStripe versiones hasta 4.3.3, permite la fijación de la sesión en el formulario "change password". • https://forum.silverstripe.org/c/releases • CWE-384: Session Fixation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12245
https://notcve.org/view.php?id=CVE-2019-12245
25 Sep 2019 — SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension. SilverStripe versiones hasta 4.3.3, presenta un control de acceso incorrecto para los archivos protegidos cargados por medio de la función Upload::loadIntoFile(). Un atacante puede ser capaz de adivinar un nombre de archivo en silverstripe/assets por medio del AssetControlExtension. • https://forum.silverstripe.org/c/releases • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12204
https://notcve.org/view.php?id=CVE-2019-12204
25 Sep 2019 — In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access. En SilverStripe versiones hasta 4.3.3, una falta de advertencia acerca de dejar el archivo install.php en una webroot pública puede conllevar a un acceso de administrador no autenticado. • https://forum.silverstripe.org/c/releases •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-12149
https://notcve.org/view.php?id=CVE-2019-12149
11 Jun 2019 — SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2.1 allows attackers to execute arbitrary SQL commands. Vulnerabilidad en la inyección del SQL en el módulo silverstripe/restfulserver 1.0.x anterior1.0.9, 2.0.x anterior 2.0.4, and 2.1.x anterior 2.1.2 and silverstripe/registry module 2.1.x anterior 2.1.1 and 2.2.x anterior2.2.1 permite a los atacantes to ejecu... • https://www.silverstripe.org/download/security-releases/cve-2019-12149 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •