CVE-2017-5197
https://notcve.org/view.php?id=CVE-2017-5197
There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element. Hay una XSS en SilverStripe CMS en versiones anteriores a 3.4.4 y 3.5.x en versiones anteriores a 3.5.2. El vector de ataque es un nombre de página. • http://www.securityfocus.com/bid/96572 https://www.silverstripe.org/download/security-releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-8606
https://notcve.org/view.php?id=CVE-2015-8606
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework en versiones anteriores a 3.1.16 y 3.2.x en versiones anteriores a 3.2.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) Locale o (2) FailedLogenCount en admen/security/EditForm/field/Members/item/new/ItemEditForm. • http://seclists.org/fulldisclosure/2015/Dec/55 http://www.openwall.com/lists/oss-security/2015/12/17/1 http://www.openwall.com/lists/oss-security/2015/12/17/11 http://www.openwall.com/lists/oss-security/2015/12/18/5 http://www.silverstripe.org/download/security-releases/ss-2015-026 https://cybersecurityworks.com/zerodays/cve-2015-8606-silverstripe.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5063 – SilverStripe CMS 3.1.13 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2015-5063
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter to install.php. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework 3.1.13 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro (1) admin_username o (2) admin_password en install.php. SilverStripe CMS version 3.1.13 suffers from open redirection and cross site scripting vulnerabilities. • http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt http://packetstormsecurity.com/files/132223/SilverStripe-CMS-3.1.13-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/535716/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5062 – SilverStripe CMS 3.1.13 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2015-5062
Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build. Vulnerabilidad de la redirección abierta en SilverStripe CMS & Framework 3.1.13 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL en el parámetro returnURL en dev/build. SilverStripe CMS version 3.1.13 suffers from open redirection and cross site scripting vulnerabilities. • http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt http://packetstormsecurity.com/files/132223/SilverStripe-CMS-3.1.13-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/535716/100/0/threaded http://www.securityfocus.com/bid/75419 •
CVE-2013-6789
https://notcve.org/view.php?id=CVE-2013-6789
security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history, a similar vulnerability to CVE-2013-2653. security/ MemberLoginForm.php en SilverStripe 3.0.3 apoya las credenciales en una solicitud GET, que permite a atacantes remotos o locales obtener información sensible mediante la lectura de los registros de log de acceso del servidor web, logsReferer del servidor web, o el historial del navegador, una vulnerabilidad similar a CVE-2013-2653. • http://seclists.org/bugtraq/2013/Aug/12 https://github.com/chillu/silverstripe-framework/commit/3e88c98ca513880e2b43ed7f27ade17fef5d9170 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •