CVE-2015-5063 – SilverStripe CMS 3.1.13 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2015-5063
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter to install.php. Múltiples vulnerabilidades de XSS en SilverStripe CMS & Framework 3.1.13 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro (1) admin_username o (2) admin_password en install.php. SilverStripe CMS version 3.1.13 suffers from open redirection and cross site scripting vulnerabilities. • http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt http://packetstormsecurity.com/files/132223/SilverStripe-CMS-3.1.13-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/535716/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5062 – SilverStripe CMS 3.1.13 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2015-5062
Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build. Vulnerabilidad de la redirección abierta en SilverStripe CMS & Framework 3.1.13 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL en el parámetro returnURL en dev/build. SilverStripe CMS version 3.1.13 suffers from open redirection and cross site scripting vulnerabilities. • http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt http://packetstormsecurity.com/files/132223/SilverStripe-CMS-3.1.13-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/535716/100/0/threaded http://www.securityfocus.com/bid/75419 •
CVE-2013-6789
https://notcve.org/view.php?id=CVE-2013-6789
security/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history, a similar vulnerability to CVE-2013-2653. security/ MemberLoginForm.php en SilverStripe 3.0.3 apoya las credenciales en una solicitud GET, que permite a atacantes remotos o locales obtener información sensible mediante la lectura de los registros de log de acceso del servidor web, logsReferer del servidor web, o el historial del navegador, una vulnerabilidad similar a CVE-2013-2653. • http://seclists.org/bugtraq/2013/Aug/12 https://github.com/chillu/silverstripe-framework/commit/3e88c98ca513880e2b43ed7f27ade17fef5d9170 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-2653 – SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2653
security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. security/MemberLoginForm.php en SilverStripe 3.0.3 ofrece soporte al inicio de sesión mediante el uso de una petición GET, lo que hace más sencillo para atacantes remotos llevar a cabo ataques de phishing sin detección por parte de la víctima. SilverStripe CMS version 3.0.3 suffers from an information exposure issue through query strings in GET requests. • https://www.exploit-db.com/exploits/38689 http://seclists.org/bugtraq/2013/Aug/12 https://github.com/chillu/silverstripe-framework/commit/3e88c98ca513880e2b43ed7f27ade17fef5d9170 • CWE-20: Improper Input Validation •
CVE-2012-6458
https://notcve.org/view.php?id=CVE-2012-6458
Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. Múltiples vulnerabilidades de cross-site scripting (XSS) en el módulo SilverStripe e-commerce v3.0 para SilverStripe CMS, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) FirstName, (2) Surname, o (3) Email en code/forms/OrderFormAddress.php; o los parámetros (4) FirstName o (5) Surname en code/forms/ShopAccountForm.php. • http://archives.neohapsis.com/archives/bugtraq/2013-07/0090.html https://code.google.com/p/silverstripe-ecommerce/source/detail?r=3739 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •