Silverstripe Framework vulnerabilities
41 known vulnerabilities affecting silverstripe/framework.
Total CVEs
41
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM32LOW4
Vulnerabilities
Page 1 of 3
CVE-2019-5715P3CRITICAL≥ 3.0.0, < 3.6.7≥ 4.0.0, < 4.0.7+4 more2022-05-14
CVE-2019-5715 [CRITICAL] CWE-89 Silverstripe Framework SQLi Vulnerability
Silverstripe Framework SQLi Vulnerability
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.
ghsaosv
CVE-2024-47605P3MEDIUMPoC≥ 0, < 5.3.82025-01-14
CVE-2024-47605 [MEDIUM] CWE-79 Silverstripe Framework has a XSS via insert media remote file oembed
Silverstripe Framework has a XSS via insert media remote file oembed
### Impact
When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.
## References
- https://www.silv
ghsaosv
CVE-2022-38148P3HIGHCVSS 8.8≤ 4.11.02022-11-21
CVE-2022-38148 [HIGH] CWE-89 CVE-2022-38148: Silverstripe silverstripe/framework through 4.11 allows SQL Injection.
Silverstripe silverstripe/framework through 4.11 allows SQL Injection.
ghsanvdosv
CVE-2019-12204P3CRITICAL≥ 4.1.0, < 4.3.52019-11-12
CVE-2019-12204 [CRITICAL] Missing warning can lead to unauthenticated admin access in SilverStripe
Missing warning can lead to unauthenticated admin access in SilverStripe
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
ghsaosv
CVE-2020-6164P3HIGH≥ 4.0.0, < 4.4.7≥ 4.5.0, < 4.5.42022-05-24
CVE-2020-6164 [HIGH] CWE-200 Silverstripe CMS information disclosure
Silverstripe CMS information disclosure
In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based ac
ghsaosv
CVE-2020-9280P3HIGH≥ 4.0.0, < 4.4.62022-05-24
CVE-2020-9280 [HIGH] CWE-434 SilverStripe Folders migrated from 3.x may be unsafe to upload to
SilverStripe Folders migrated from 3.x may be unsafe to upload to
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Com
ghsaosv
CVE-2023-22729P4MEDIUMCVSS 6.1fixed in 4.12.52023-04-26
CVE-2023-22729 [MEDIUM] CWE-601 CVE-2023-22729: Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content m
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15
ghsanvdosv
CVE-2024-32981P4MEDIUMCVSS 5.4fixed in 5.2.162024-07-17
CVE-2024-32981 [MEDIUM] CWE-79 CVE-2024-32981: Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected v
Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the clien
ghsanvdosv
CVE-2025-30148P4MEDIUMCVSS 5.4≤ 5.3.232025-04-10
CVE-2025-30148 [MEDIUM] CWE-79 CVE-2025-30148: Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad ac
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-s
ghsanvdosv
CVE-2019-12245P4MEDIUM≥ 0, < 3.6.8≥ 3.7.0, < 3.7.4+2 more2019-11-12
CVE-2019-12245 [MEDIUM] CWE-732 Lack of access control on upoaded files
Lack of access control on upoaded files
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
ghsaosv
CVE-2019-16409P4MEDIUM≥ 4.0.0, < 4.3.5≥ 4.4.0, < 4.4.42019-11-12
CVE-2019-16409 [MEDIUM] CWE-200 SilverStripe Versioned Files module Unpublished files are exposed publicly
SilverStripe Versioned Files module Unpublished files are exposed publicly
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x
ghsaosv
CVE-2019-14273P4MEDIUM≥ 4.0.0, < 4.3.5≥ 4.4.0, < 4.4.42020-07-15
CVE-2019-14273 [MEDIUM] CWE-552 Broken access control on files
Broken access control on files
In SilverStripe assets 4.0, there is broken access control on files.
ghsaosv
CVE-2021-41559P4MEDIUM≥ 4.0.0, < 4.10.92022-06-29
CVE-2021-41559 [MEDIUM] CWE-776 Quadratic blowup in Convert::xml2array()
Quadratic blowup in Convert::xml2array()
Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.
ghsaosv
CVE-2022-38724P4MEDIUMCVSS 5.4≥ 4.0.0, ≤ 4.11.02022-11-23
CVE-2022-38724 [MEDIUM] CWE-79 CVE-2022-38724: Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverst
Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.
ghsanvdosv
CVE-2022-25238P4MEDIUMCVSS 5.4≤ 4.10.02022-06-28
CVE-2022-25238 [MEDIUM] CWE-79 CVE-2022-25238: Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be
Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
ghsanvdosv
CVE-2024-53277P4MEDIUMCVSS 5.4fixed in 5.3.82025-01-14
CVE-2024-53277 [MEDIUM] CWE-79 CVE-2024-53277: Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form mes
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't
ghsanvdosv
CVE-2019-19326P4MEDIUM≥ 4.0.0, < 4.4.7≥ 4.5.0, < 4.5.4+1 more2022-05-24
CVE-2019-19326 [MEDIUM] CWE-444 SilverStripe Web Cache Poisoning through HTTPRequestBuilder
SilverStripe Web Cache Poisoning through HTTPRequestBuilder
SilverStripe through 4.4.4 allows Web Cache Poisoning through HTTPRequestBuilder.
ghsaosv
CVE-2022-38462P4MEDIUMCVSS 6.1fixed in 4.11.13≥ 3.0.0, ≤ 3.7.72022-11-22
CVE-2022-38462 [MEDIUM] CWE-79 CVE-2022-38462: Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return
Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.
ghsanvdosv
CVE-2022-38146P4MEDIUMCVSS 5.4≤ 4.11.02022-11-21
CVE-2022-38146 [MEDIUM] CWE-79 CVE-2022-38146: Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
nvd
CVE-2022-37430P4MEDIUMCVSS 5.4≥ 3.0.0, < 4.11.132022-11-23
CVE-2022-37430 [MEDIUM] CWE-79 CVE-2022-37430: Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a li
Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).
ghsanvdosv
1 / 3Next →