CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-8606
https://notcve.org/view.php?id=CVE-2015-8606
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework en versiones anteriores a 3.1.16 y 3.2.x en versiones anteriores a 3.2.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) Locale o (2) FailedLogenCount en admen/security/EditForm/field/Members/item/new/ItemEditForm. • http://seclists.org/fulldisclosure/2015/Dec/55 http://www.openwall.com/lists/oss-security/2015/12/17/1 http://www.openwall.com/lists/oss-security/2015/12/17/11 http://www.openwall.com/lists/oss-security/2015/12/18/5 http://www.silverstripe.org/download/security-releases/ss-2015-026 https://cybersecurityworks.com/zerodays/cve-2015-8606-silverstripe.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2013-6789
https://notcve.org/view.php?id=CVE-2013-6789
security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history, a similar vulnerability to CVE-2013-2653. security/ MemberLoginForm.php en SilverStripe 3.0.3 apoya las credenciales en una solicitud GET, que permite a atacantes remotos o locales obtener información sensible mediante la lectura de los registros de log de acceso del servidor web, logsReferer del servidor web, o el historial del navegador, una vulnerabilidad similar a CVE-2013-2653. • http://seclists.org/bugtraq/2013/Aug/12 https://github.com/chillu/silverstripe-framework/commit/3e88c98ca513880e2b43ed7f27ade17fef5d9170 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 2%CPEs: 1EXPL: 2CVE-2013-2653 – SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2653
security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. security/MemberLoginForm.php en SilverStripe 3.0.3 ofrece soporte al inicio de sesión mediante el uso de una petición GET, lo que hace más sencillo para atacantes remotos llevar a cabo ataques de phishing sin detección por parte de la víctima. SilverStripe CMS version 3.0.3 suffers from an information exposure issue through query strings in GET requests. • https://www.exploit-db.com/exploits/38689 http://seclists.org/bugtraq/2013/Aug/12 https://github.com/chillu/silverstripe-framework/commit/3e88c98ca513880e2b43ed7f27ade17fef5d9170 • CWE-20: Improper Input Validation •