Filtered by vendor Silverstripe
Subscribe
Total
89 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-4822 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 4.3 MEDIUM | N/A |
| core/model/MySQLDatabase.php in SilverStripe 2.4.x before 2.4.4, when the site is running in "live mode," allows remote attackers to obtain the SQL queries for a page via the showqueries and ajax parameters. | |||||
| CVE-2013-2653 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 5.8 MEDIUM | N/A |
| security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. | |||||
| CVE-2010-5091 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 6.0 MEDIUM | N/A |
| The setName function in filesystem/File.php in SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1 allows remote authenticated users with CMS author privileges to execute arbitrary PHP code by changing the extension of an uploaded file. | |||||
| CVE-2010-5095 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in SilverStripe 2.3.x before 2.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to DataObjectSet pagination. | |||||
| CVE-2010-5087 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 5.0 MEDIUM | N/A |
| SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators via vectors related to "form action requests" using a controller. | |||||
| CVE-2010-5093 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 5.0 MEDIUM | N/A |
| Member_ProfileForm in security/Member.php in SilverStripe 2.3.x before 2.3.7 allows remote attackers to hijack user accounts by saving data using the email address (ID) of another user. | |||||
| CVE-2010-5094 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 5.0 MEDIUM | N/A |
| The deleteinstallfiles function in control/ContentController.php in SilverStripe 2.3.x before 2.3.7 does not require ADMIN permissions, which allows remote attackers to delete index.php and "disrupt mod_rewrite-less URL routing." | |||||
| CVE-2010-5089 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 4.3 MEDIUM | N/A |
| SilverStripe before 2.4.2 does not properly restrict access to pages in draft mode, which allows remote attackers to obtain sensitive information. | |||||
| CVE-2011-4962 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 6.8 MEDIUM | N/A |
| code/sitefeatures/PageCommentInterface.php in SilverStripe 2.4.x before 2.4.6 might allow remote attackers to execute arbitrary code via a crafted cookie in a user comment submission, which is not properly handled when it is deserialized. | |||||
| CVE-2012-0976 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in admin/EditForm in SilverStripe 2.4.6 allows remote authenticated users with Content Authors privileges to inject arbitrary web script or HTML via the Title parameter. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2010-5080 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 6.8 MEDIUM | N/A |
| The Security/changepassword URL action in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 passes a token as a GET parameter while changing a password through email, which allows remote attackers to obtain sensitive data and hijack the session via the HTTP referer logs on a server, aka "HTTP referer leakage." | |||||
| CVE-2010-5078 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 5.0 MEDIUM | N/A |
| SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. | |||||
| CVE-2012-4968 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) LimitWordCount, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NoHTML, (15) Summary, (16) Upper, (17) UpperCase, or (18) URL method in a template, different vectors than CVE-2012-0976. | |||||
| CVE-2010-5188 | 1 Silverstripe | 1 Silverstripe | 2026-04-29 | 5.0 MEDIUM | N/A |
| SilverStripe 2.3.x before 2.3.6 allows remote attackers to obtain sensitive information via the (1) debug_memory parameter to core/control/Director.php or (2) debug_profile parameter to main.php. | |||||
| CVE-2009-1433 | 1 Silverstripe | 1 Silverstripe | 2026-04-23 | 7.5 HIGH | N/A |
| SQL injection vulnerability in File::find (filesystem/File.php) in SilverStripe before 2.3.1 allows remote attackers to execute arbitrary SQL commands via the filename parameter. | |||||
| CVE-2008-6753 | 1 Silverstripe | 1 Silverstripe | 2026-04-23 | 7.5 HIGH | N/A |
| SQL injection vulnerability in SilverStripe before 2.2.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to AjaxUniqueTextField. | |||||
| CVE-2007-2321 | 1 Silverstripe | 1 Silverstripe | 2026-04-23 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the search functionality in SilverStripe 2.0.0 has unknown impact and attack vectors. | |||||
| CVE-2024-53277 | 1 Silverstripe | 1 Framework | 2025-09-04 | N/A | 5.4 MEDIUM |
| Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-30148 | 1 Silverstripe | 1 Framework | 2025-09-04 | N/A | 5.4 MEDIUM |
| Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23. | |||||
| CVE-2024-32981 | 1 Silverstripe | 1 Framework | 2025-09-04 | N/A | 5.4 MEDIUM |
| Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||