CVSS: 6.8EPSS: 0%CPEs: 18EXPL: 3CVE-2011-4959
https://notcve.org/view.php?id=CVE-2011-4959
SQL injection vulnerability in the addslashes method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6, when connected to a MySQL database using far east character encodings, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el método addslashes en SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6, cuando se conecta a una base de datos MySQL usando una codificación de caracteres del lejano oriente, permite a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/sapphire/commit/73cca09 https://github.com/silverstripe/sapphire/commit/ca78784 https://github.com/silverstripe/silverstripe-cms/commit/b5ea2f6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 1CVE-2011-4960
https://notcve.org/view.php?id=CVE-2011-4960
SQL injection vulnerability in the Folder::findOrMake method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en el método Folder::findOrMake en SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6 permite a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/sapphire/commit/fef7c32 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.0EPSS: 0%CPEs: 18EXPL: 0CVE-2011-4961
https://notcve.org/view.php?id=CVE-2011-4961
SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote authenticated users with the EDIT_PERMISSIONS permission to gain administrator privileges via a TreeMultiselectField that includes admin groups when adding a user to the selected groups. SilverStripe v2.3.x antes de v2.3.12 y v2.4.x antes de v2.4.6 permite obtener permisos de administrador a usuarios remotos autenticados con el permiso 'EDIT_PERMISSIONS' a través de un 'TreeMultiselectField' que incluye grupos de administradores al agregar un usuario a los grupos seleccionados. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.12 http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/sapphire/commit/de1f070 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 4%CPEs: 6EXPL: 1CVE-2011-4962
https://notcve.org/view.php?id=CVE-2011-4962
code/sitefeatures/PageCommentInterface.php in SilverStripe 2.4.x before 2.4.6 might allow remote attackers to execute arbitrary code via a crafted cookie in a user comment submission, which is not properly handled when it is deserialized. code/sitefeatures/PageCommentInterface.php en SilverStripe v2.4.x antes de v2.4.6 podría permitir a atacantes remotos ejecutar código de su elección a través de una cookie hecha a mano en el envío de comentarios de usuario, que no son correctamente gestionados cuando se deserializa. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/silverstripe-cms/commit/d15e850 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 1CVE-2012-4968
https://notcve.org/view.php?id=CVE-2012-4968
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) LimitWordCount, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NoHTML, (15) Summary, (16) Upper, (17) UpperCase, or (18) URL method in a template, different vectors than CVE-2012-0976. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en SilverStripe v2.3.x antes de v2.3.13 y v2.4.x antes de v2.4.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de una cadena modificada a los métodos (1) AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) Word Count Limit, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NOHTML, (15) Summary, (16) Upper, (17) UpperCase, o (18) URL en una plantilla. Se trata de vectores diferentes a los de CVE-2012-0976a. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.13 http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.7 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/sapphire/commit/0085876 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •