cbcvebase.

Silverstripe Framework vulnerabilities

41 known vulnerabilities affecting silverstripe/framework.

Total CVEs
41
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM32LOW4

Vulnerabilities

Page 1 of 3
CVE-2019-5715P3CRITICAL≥ 3.0.0, < 3.6.7≥ 4.0.0, < 4.0.7+4 more2022-05-14
CVE-2019-5715 [CRITICAL] CWE-89 Silverstripe Framework SQLi Vulnerability Silverstripe Framework SQLi Vulnerability All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
ghsaosv
CVE-2024-47605P3MEDIUMPoC≥ 0, < 5.3.82025-01-14
CVE-2024-47605 [MEDIUM] CWE-79 Silverstripe Framework has a XSS via insert media remote file oembed Silverstripe Framework has a XSS via insert media remote file oembed ### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silv
ghsaosv
CVE-2022-38148P3HIGHCVSS 8.8≤ 4.11.02022-11-21
CVE-2022-38148 [HIGH] CWE-89 CVE-2022-38148: Silverstripe silverstripe/framework through 4.11 allows SQL Injection. Silverstripe silverstripe/framework through 4.11 allows SQL Injection.
ghsanvdosv
CVE-2019-12204P3CRITICAL≥ 4.1.0, < 4.3.52019-11-12
CVE-2019-12204 [CRITICAL] Missing warning can lead to unauthenticated admin access in SilverStripe Missing warning can lead to unauthenticated admin access in SilverStripe In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
ghsaosv
CVE-2020-6164P3HIGH≥ 4.0.0, < 4.4.7≥ 4.5.0, < 4.5.42022-05-24
CVE-2020-6164 [HIGH] CWE-200 Silverstripe CMS information disclosure Silverstripe CMS information disclosure In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based ac
ghsaosv
CVE-2020-9280P3HIGH≥ 4.0.0, < 4.4.62022-05-24
CVE-2020-9280 [HIGH] CWE-434 SilverStripe Folders migrated from 3.x may be unsafe to upload to SilverStripe Folders migrated from 3.x may be unsafe to upload to In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Com
ghsaosv
CVE-2023-22729P4MEDIUMCVSS 6.1fixed in 4.12.52023-04-26
CVE-2023-22729 [MEDIUM] CWE-601 CVE-2023-22729: Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content m Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15
ghsanvdosv
CVE-2024-32981P4MEDIUMCVSS 5.4fixed in 5.2.162024-07-17
CVE-2024-32981 [MEDIUM] CWE-79 CVE-2024-32981: Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected v Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the clien
ghsanvdosv
CVE-2025-30148P4MEDIUMCVSS 5.4≤ 5.3.232025-04-10
CVE-2025-30148 [MEDIUM] CWE-79 CVE-2025-30148: Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad ac Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-s
ghsanvdosv
CVE-2019-12245P4MEDIUM≥ 0, < 3.6.8≥ 3.7.0, < 3.7.4+2 more2019-11-12
CVE-2019-12245 [MEDIUM] CWE-732 Lack of access control on upoaded files Lack of access control on upoaded files SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
ghsaosv
CVE-2019-16409P4MEDIUM≥ 4.0.0, < 4.3.5≥ 4.4.0, < 4.4.42019-11-12
CVE-2019-16409 [MEDIUM] CWE-200 SilverStripe Versioned Files module Unpublished files are exposed publicly SilverStripe Versioned Files module Unpublished files are exposed publicly In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x
ghsaosv
CVE-2019-14273P4MEDIUM≥ 4.0.0, < 4.3.5≥ 4.4.0, < 4.4.42020-07-15
CVE-2019-14273 [MEDIUM] CWE-552 Broken access control on files Broken access control on files In SilverStripe assets 4.0, there is broken access control on files.
ghsaosv
CVE-2021-41559P4MEDIUM≥ 4.0.0, < 4.10.92022-06-29
CVE-2021-41559 [MEDIUM] CWE-776 Quadratic blowup in Convert::xml2array() Quadratic blowup in Convert::xml2array() Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.
ghsaosv
CVE-2022-38724P4MEDIUMCVSS 5.4≥ 4.0.0, ≤ 4.11.02022-11-23
CVE-2022-38724 [MEDIUM] CWE-79 CVE-2022-38724: Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverst Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.
ghsanvdosv
CVE-2022-25238P4MEDIUMCVSS 5.4≤ 4.10.02022-06-28
CVE-2022-25238 [MEDIUM] CWE-79 CVE-2022-25238: Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
ghsanvdosv
CVE-2024-53277P4MEDIUMCVSS 5.4fixed in 5.3.82025-01-14
CVE-2024-53277 [MEDIUM] CWE-79 CVE-2024-53277: Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form mes Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't
ghsanvdosv
CVE-2019-19326P4MEDIUM≥ 4.0.0, < 4.4.7≥ 4.5.0, < 4.5.4+1 more2022-05-24
CVE-2019-19326 [MEDIUM] CWE-444 SilverStripe Web Cache Poisoning through HTTPRequestBuilder SilverStripe Web Cache Poisoning through HTTPRequestBuilder SilverStripe through 4.4.4 allows Web Cache Poisoning through HTTPRequestBuilder.
ghsaosv
CVE-2022-38462P4MEDIUMCVSS 6.1fixed in 4.11.13≥ 3.0.0, ≤ 3.7.72022-11-22
CVE-2022-38462 [MEDIUM] CWE-79 CVE-2022-38462: Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.
ghsanvdosv
CVE-2022-38146P4MEDIUMCVSS 5.4≤ 4.11.02022-11-21
CVE-2022-38146 [MEDIUM] CWE-79 CVE-2022-38146: Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3). Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
nvd
CVE-2022-37430P4MEDIUMCVSS 5.4≥ 3.0.0, < 4.11.132022-11-23
CVE-2022-37430 [MEDIUM] CWE-79 CVE-2022-37430: Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a li Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).
ghsanvdosv
Silverstripe Framework vulnerabilities | cvebase