Page 5 of 43 results (0.006 seconds)

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework en versiones anteriores a 3.1.16 y 3.2.x en versiones anteriores a 3.2.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) Locale o (2) FailedLogenCount en admen/security/EditForm/field/Members/item/new/ItemEditForm. • http://seclists.org/fulldisclosure/2015/Dec/55 http://www.openwall.com/lists/oss-security/2015/12/17/1 http://www.openwall.com/lists/oss-security/2015/12/17/11 http://www.openwall.com/lists/oss-security/2015/12/18/5 http://www.silverstripe.org/download/security-releases/ss-2015-026 https://cybersecurityworks.com/zerodays/cve-2015-8606-silverstripe.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 5

Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/. Vulnerabilidad de XSS en la función de proceso en SSViewer.php en SilverStripe anterior a 2.3.13 y 2.4.x anterior a 2.4.6 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de QUERY_STRING hacia marcadores de posición de plantillas, tal y como fue demostrado por una solicitud hacia (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/ y (6) admin/security/. • https://www.exploit-db.com/exploits/36226 http://doc.silverstripe.org/sapphire/en/trunk/changelogs/2.3.12 http://doc.silverstripe.org/sapphire/en/trunk/changelogs/2.4.6 http://osvdb.org/76258 http://secunia.com/advisories/46390 http://www.rul3z.de/advisories/SSCHADV2011-024.txt http://www.securityfocus.com/archive/1/520050/100/0/threaded https://github.com/silverstripe/sapphire/commit/16c3235 https://github.com/silverstripe/sapphire/commit/52a895f https://github.com/silve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0

SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4 almacena información sensible bajo la raíz web con controles de acceso insuficientes, lo que permite a atacantes remotos obtener información de la versión a través de una petición directa a (1) apphire/silverstripe_version ó (2) cms/silverstripe_version. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/ticket/5031 http://secunia.com/advisories/42346 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.os • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0

SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism, (2) autologin, (3) "forgot password" functionality, and (4) password salts, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors. SilverStripe 2.3.x antes de 2.3.10 y 2.4.x antes de 2.4.4 utiliza una entropía débil para la generación de fichas para (1) el mecanismo de protección CSRF, (2) el inicio de sesión automático (autologin), (3) la funcionalidad "Olvidó su contraseña" y (4) los "password salts", lo que hace que sea más fácil para los atacantes remotos evitar las restricciones de acceso a través de vectores no especificados. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/changeset/114497 http://open.silverstripe.org/changeset/114498 http://open.silverstripe.org/changeset/114503 http://open.silverstripe.org/changeset/114504 http://open.silverstripe.org/changeset/114505 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 • CWE-310: Cryptographic Issues •

CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) LimitWordCount, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NoHTML, (15) Summary, (16) Upper, (17) UpperCase, or (18) URL method in a template, different vectors than CVE-2012-0976. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en SilverStripe v2.3.x antes de v2.3.13 y v2.4.x antes de v2.4.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de una cadena modificada a los métodos (1) AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) Word Count Limit, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NOHTML, (15) Summary, (16) Upper, (17) UpperCase, o (18) URL en una plantilla. Se trata de vectores diferentes a los de CVE-2012-0976a. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.13 http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.7 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/sapphire/commit/0085876 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •