CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53277 – Cross-site Scripting in form messages in silverstripe framework
https://notcve.org/view.php?id=CVE-2024-53277
14 Jan 2025 — Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. • https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32981 – Cross-site Scripting vulnerability with encoded payload in silverstripe/framework
https://notcve.org/view.php?id=CVE-2024-32981
17 Jul 2024 — Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.... • https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48714 – Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
https://notcve.org/view.php?id=CVE-2023-48714
23 Jan 2024 — Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. Silverstripe Framework es el framework que forma la base del sistema de gestión de contenidos Silverstripe. Ant... • https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22729 – Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen
https://notcve.org/view.php?id=CVE-2023-22729
26 Apr 2023 — Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22728 – Silverstripe Framework has missing permission check of canView in GridFieldPrintButton
https://notcve.org/view.php?id=CVE-2023-22728
26 Apr 2023 — Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37429
https://notcve.org/view.php?id=CVE-2022-37429
23 Nov 2022 — Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters. El framework Silverstripe hasta la versión 4.11 permite XSS (problema 1 de 2) a través del payload de JavaScript al atributo href de un enlace al dividir una URL de JavaScript con caracteres de espacio en blanco. • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37430
https://notcve.org/view.php?id=CVE-2022-37430
23 Nov 2022 — Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2). El framework Silverstripe hasta la versión 4.11 permite la vulnerabilidad XSS a través del atributo href de un enlace (problema 2 de 2). • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38145
https://notcve.org/view.php?id=CVE-2022-38145
23 Nov 2022 — Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 3) via remote attackers adding a Javascript payload to a page's meta description and get it executed in the versioned history compare view. El framework Silverstripe hasta la versión 4.11 permite XSS (problema 1 de 3) a través de atacantes remotos que agreguen un payload de Javascript a la meta descripción de una página y la ejecute en la vista de comparación del historial de versiones. • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38147
https://notcve.org/view.php?id=CVE-2022-38147
23 Nov 2022 — Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3). El framework Silverstripe hasta 4.11 permite XSS (problema 3 de 3). • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38462
https://notcve.org/view.php?id=CVE-2022-38462
22 Nov 2022 — Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request. Silverstripe silverstripe/framework hasta 4.11 es vulnerable a XSS al manipular cuidadosamente una URL de retorno en una solicitud /dev/build o /Security/login. • https://forum.silverstripe.org/c/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •