Silverstripe Assets vulnerabilities

6 known vulnerabilities affecting silverstripe/assets.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2026-24749MEDIUM≥ 0, < 2.4.5≥ 3.0.0, < 3.1.32026-04-16
CVE-2026-24749 [MEDIUM] CWE-266 Silverstripe Assets Module has a DBFile::getURL() permission bypass Silverstripe Assets Module has a DBFile::getURL() permission bypass ### Impact Images rendered in templates or otherwise accessed via `DBFile::getURL()` or `DBFile::getSourceURL()` incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like `ScaleWidth()` or `Convert()`
ghsa
CVE-2022-38724MEDIUMCVSS 5.4≥ 1.0.0, ≤ 1.11.02022-11-23
CVE-2022-38724 [MEDIUM] CWE-79 CVE-2022-38724: Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverst Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.
ghsanvdosv
CVE-2022-38147MEDIUM≥ 1.0.0, < 1.11.12022-11-21
CVE-2022-38147 [MEDIUM] CWE-79 XSS via uploaded gpx file XSS via uploaded gpx file A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data. By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.
ghsaosv
CVE-2022-29858MEDIUMCVSS 4.3fixed in 1.10.12022-06-28
CVE-2022-29858 [MEDIUM] CWE-287 CVE-2022-29858: Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows p Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content.
ghsanvdosv
CVE-2020-9280HIGH≥ 1.0.0, < 1.4.7≥ 1.5.0, < 1.5.22022-05-24
CVE-2020-9280 [HIGH] CWE-434 SilverStripe Folders migrated from 3.x may be unsafe to upload to SilverStripe Folders migrated from 3.x may be unsafe to upload to In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Com
ghsaosv
CVE-2019-12245MEDIUM≥ 1.0.0, < 1.3.5≥ 1.4.0, < 1.4.42019-11-12
CVE-2019-12245 [MEDIUM] CWE-732 Lack of access control on upoaded files Lack of access control on upoaded files SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
ghsaosv