silverstripe/framework Security Advisories (93)
-
[MEDIUM] CVE-2025-30148 - XSS vulnerability in HTML editor
PKSA-y2dn-63zz-mp8n CVE-2025-30148 GHSA-rhx4-hvx9-j387
Affected version: <5.3.23
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2025-001 - User enumeration via timing attack
PKSA-7qg6-pyzm-bc35 GHSA-256q-hx8w-xcqx
Affected version: <5.3.23
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2024-53277 - XSS in form messages
PKSA-gr7c-c3q7-zxkd CVE-2024-53277 GHSA-ff6q-3c9c-6cf5
Affected version: <5.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2024-47605 - XSS via insert media remote file oembed
PKSA-spqx-5bk6-c9yk CVE-2024-47605 GHSA-7cmp-cgg8-4c82
Affected version: <5.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message
PKSA-24rt-ffr7-cj1w GHSA-74j9-xhqr-6qv3
Affected version: <5.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload
PKSA-jndv-7cgy-xwm3 CVE-2024-32981 GHSA-chx7-9x8h-r5mg
Affected version: <5.2.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2024-001 - TinyMCE allows svg files linked in object tags
PKSA-8tf6-2hv5-c6tq GHSA-mqf3-qpc3-g26q
Affected version: <5.2.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-48714 Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
PKSA-vcdc-4796-kn58 CVE-2023-48714 GHSA-qm2j-qvq3-j29v
Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.13.39|>=5.0.0,<5.1.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] CVE-2023-32302 - Members with no password can be created and bypass custom login forms
PKSA-2t2m-vnwy-55q7 CVE-2023-32302 GHSA-36xx-7vf6-7mv3
Affected version: >=3.0.0,<4.13.14|>=5.0.0,<5.0.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-22729 - Open redirect vulnerability on CMSSecurity relogin screen
PKSA-hkbw-7cv6-kp2b CVE-2023-22729 GHSA-fw84-xgm8-9jmv
Affected version: >=4.0.0,<4.12.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-22728 - Missing permission check in GridFieldPrintButton
PKSA-r31r-w74j-z58p CVE-2023-22728 GHSA-jh3w-6jp2-vqqm
Affected version: >=4.0.0,<4.12.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-28803: Stored XSS in link tags added via XHR
PKSA-d1c8-bxwg-9sbf CVE-2022-28803 GHSA-rppc-655v-7j3c
Affected version: >=4.0.0,<4.10.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-25238: Stored XSS via HTML fields
PKSA-pwy1-2c1j-9m7p CVE-2022-25238 GHSA-jx34-gqqq-r6gm
Affected version: >=4.0.0,<4.10.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-41559: Quadratic blowup in Convert::xml2array()
PKSA-9b8c-khwh-k6t3 CVE-2021-41559 GHSA-9fmg-89fx-r33w
Affected version: >=4.0.0,<4.10.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SilverStripe XXE Vulnerability in CSSContentParser
PKSA-b5cb-66pw-rz2d CVE-2020-25817 GHSA-3vjc-5x79-m9r8
Affected version: >=4.0.0,<4.7.4
Reported by:
GitHub -
[HIGH] SilverStripe Folders migrated from 3.x may be unsafe to upload to
PKSA-b4jh-m6fk-qfqf CVE-2020-9280 GHSA-592m-4533-rxq9
Affected version: >=4.0.0,<4.4.6
Reported by:
GitHub -
[MEDIUM] Silverstripe XSS Vulnerabilities
PKSA-b2bh-3nd5-4ft2 CVE-2012-4968 GHSA-v358-rvxr-wffx
Affected version: >=2.4,<2.4.7|>=2.3,<2.3.13
Reported by:
GitHub -
[MEDIUM] SilverStripe CSV Excel Macro Injection
PKSA-4npp-z2k1-kdtx CVE-2017-18049 GHSA-2jvj-mhf2-g99w
Affected version: >=4.0.0,<4.0.1|>=3.6.0,<3.6.3|<3.5.6
Reported by:
GitHub -
[MEDIUM] Silverstripe CMS Open Redirect
PKSA-ktdv-zx9y-ctn1 CVE-2015-5062 GHSA-fh35-p8ph-p545
Affected version: <=3.1.13
Reported by:
GitHub -
[LOW] SilverStripe vulnerable to Cross-site Scripting
PKSA-wbdb-v7tw-pbtq CVE-2010-1593 GHSA-wg4m-vvp6-2hc5
Affected version: <2.3.5
Reported by:
GitHub -
[MEDIUM] Business Logic Errors in SilverStripe Framework
PKSA-7j38-hj68-r82v CVE-2022-0227 GHSA-32m2-9f76-4gv8
Affected version: <4.10.1
Reported by:
GitHub -
[MEDIUM] CVE-2022-37429 - Stored XSS using HTMLEditor
PKSA-6c76-jv2c-jdb2 CVE-2022-37429 GHSA-wc6r-4ggc-79w5
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-37430 - Stored XSS using uppercase characters in HTMLEditor
PKSA-vhcz-xnb3-24gr CVE-2022-37430 GHSA-qw4w-vq8v-2wcv
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2022-38148 - Blind SQL Injection via GridFieldSortableHeader
PKSA-66v9-dz78-mbvh CVE-2022-38148 GHSA-rr8h-f97q-8p9c
Affected version: >=4.0.0,<4.10.11|>=4.11.0,<4.11.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-38462 - Reflected XSS in querystring parameters
PKSA-w2s3-shwy-3fdb CVE-2022-38462 GHSA-vvxf-r4vm-2vm6
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-38724 - XSS in shortcodes
PKSA-nv1s-bg97-dttr CVE-2022-38724 GHSA-9cx2-hj6m-fv58
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2020-26138 FormField: with square brackets in field name skips validation
PKSA-pq7g-1pwh-dw3n CVE-2020-26138 GHSA-7mv4-4xpg-xq44
Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.7.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
CVE-2021-25817 XXE: Vulnerability in CSSContentParser
PKSA-pkf7-4y19-7jgw CVE-2021-25817
Affected version: >=4.0.0,<4.7.4
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2020-9311: Malicious user profile information can cause login form XSS
PKSA-34vk-6svm-bpgy CVE-2020-9311 GHSA-2pw2-qpcp-m47x
Affected version: >=3.0.0,<3.7.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2020-6164: Information disclosure on /interactive URL path
PKSA-zhcm-grw1-sw1m CVE-2020-6164 GHSA-gm5x-hpmw-xpxg
Affected version: >=4.0.0,<4.4.7|>=4.5.0,<4.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder
PKSA-75gp-x5bj-hcwc CVE-2019-19326 GHSA-q9ff-3q93-fm8m
Affected version: >=4.0.0,<4.4.7|>=4.5.0,<4.5.4|>=3.0.0,<3.7.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-19325: XSS through non-scalar FormField attributes
PKSA-cttv-q8kk-m71w CVE-2019-19325 GHSA-qvrv-2x7x-78x2
Affected version: >=4.0.0,<4.4.5|>=4.5.0,<4.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Lack of access control on upoaded files
PKSA-5yvt-vswv-zn54 CVE-2019-12245 GHSA-jvx5-rm6q-gx7p
Affected version: >=4.4.0,<4.4.4|>=4.0.0,<4.3.6|>=3.7.0,<3.7.4|<3.6.8
Reported by:
GitHub -
[MEDIUM] CVE-2019-14272: XSS in file titles managed through the CMS
PKSA-qgy1-mwbw-7ywr CVE-2019-14272 GHSA-jgw2-f5mx-rg7h
Affected version: >=4.0.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-12204: Missing warning on install.php on public webroot can lead to unauthenticated admin access
PKSA-5v3s-v315-b3zz CVE-2019-12204 GHSA-cg8j-8w52-735v
Affected version: >=4.1.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-12205: Clipboard Reflected XSS
PKSA-89c6-sr3z-fq77 CVE-2019-12205 GHSA-rfvw-5848-gxc5
Affected version: >=3.0.0,<3.9.99|>=4.3.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] CVE-2019-12617: Access escalation for CMS users with limited access through permission cache pollution
PKSA-5rys-h48p-tw2m CVE-2019-12617 GHSA-6r58-4xgr-gm6m
Affected version: >=4.3.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-14273: Broken Access control on files
PKSA-g9hg-jbs3-qz4m CVE-2019-14273 GHSA-43jj-2rwc-2m3f
Affected version: >=4.0.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-16409: Secureassets and versionedfiles modules can expose versions of protected files
PKSA-wp9q-nw9g-sv7t CVE-2019-16409 GHSA-xm6j-x342-gwq9
Affected version: >=4.0.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-12203: Session fixation in "change password" form
PKSA-wh2k-pccc-jn5p CVE-2019-12203 GHSA-w7r7-r8r9-vrg2
Affected version: >=3.6.0,<3.6.8|>=3.7.0,<3.7.4|>=4.0.0,<4.3.5|>=4.4.0,<4.4.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-12246: Denial of Service on flush and development URL tools
PKSA-9415-sntm-q9m8 CVE-2019-12246 GHSA-5fr8-xhqq-4p3q
Affected version: >=4.0.0,<4.4.0|>=4.1.0,<4.4.0|>=4.2.0,<4.4.0|>=4.3.0,<4.4.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-5715: Reflected SQL Injection through Form and DataObject
PKSA-sn55-3v1d-5xkw CVE-2019-5715 GHSA-wvfw-w3x6-g526
Affected version: >=3.0.0,<3.6.7|>=3.7.0,<3.7.3|>=4.0.0,<4.0.7|>=4.1.0,<4.1.5|>=4.2.0,<4.2.4|>=4.3.0,<4.3.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2018-020: Potential SQL vulnerability in PostgreSQL database connector
PKSA-bjgf-7bw4-5jkn GHSA-m5q3-mvcr-gc5m
Affected version: >=4.0.0,<4.0.6|>=4.1.0,<4.1.4|>=4.2.0,<4.2.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-019: Possible denial of service attack vector when flushing
PKSA-phcb-cpj7-6d3j GHSA-468j-6jrc-2rjx
Affected version: >=4.0.0,<4.0.5|>=4.1.0,<4.1.3|>=4.2.0,<4.2.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-018: Database credentials disclosure during connection failure
PKSA-zv9g-ttsw-sg54 GHSA-c4c3-j73v-634r
Affected version: >=3.7.0,<3.7.1|>=4.0.0,<4.0.5|>=4.1.0,<4.1.3|>=4.2.0,<4.2.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2018-012: Uploaded PHP script execution in assets
PKSA-hfg3-m3wq-5sfy GHSA-25gq-jvx2-vg9x
Affected version: >=4.0.0,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-013: Passwords sent back to browsers under some circumstances
PKSA-th4m-g9z7-6q8r GHSA-vp8p-c6xj-xpj7
Affected version: >=3.5.5,<3.7.0|>=4.0.3,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-005: isDev and isTest unguarded
PKSA-tdy9-8my8-6s7g GHSA-r32j-mr8p-hfp8
Affected version: >=4.0.0,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-006: Code execution vulnerability
PKSA-x8d7-vh36-bczf GHSA-g43w-98wp-m694
Affected version: >=4.0.3,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-008: BackURL validation bypass with malformed URLs
PKSA-r6q9-f6rj-1d2w GHSA-j982-5jv7-v43r
Affected version: >=4.0.0,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2018-010: Member disclosure in login form
PKSA-nvnj-5889-jzd9 GHSA-x5w2-wcr8-9q45
Affected version: >=4.0.0,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] SS-2018-014: Dangerous file types in allowed upload
PKSA-bgw4-m81v-y1gj GHSA-8v6m-7f5v-hhx6
Affected version: >=3.6.5,<3.6.6|>=4.0.3,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2018-001: Privilege Escalation Risk in Member Edit form
PKSA-vy34-js2r-wkxj GHSA-265q-222x-52m6
Affected version: >=3.5.7,<3.5.8|>=3.6.0,<3.6.6|>=4.0.0,<4.0.4|>=4.1.0,<4.1.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms
PKSA-d8tr-mcrb-z95t GHSA-r9vp-fp72-xgf7
Affected version: >=4.0.0,<4.0.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt
PKSA-drtz-1sqz-9xcw GHSA-vj2j-6g3w-4662
Affected version: >=3.5.0,<3.5.6|>=3.6.0,<3.6.3|>=4.0.0,<4.0.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2017-007: CSV Excel Macro Injection
PKSA-vxjn-1q46-f6sf GHSA-mqjc-x563-c9q8
Affected version: >=3.5.0,<3.5.6|>=3.6.0,<3.6.3|>=4.0.0,<4.0.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-008: SQL injection in full text search of SilverStripe 4
PKSA-374x-kczb-dk1n GHSA-52cw-pvq9-9m5v
Affected version: >=3.5.0,<3.5.6|>=3.6.0,<3.6.3|>=4.0.0,<4.0.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-006: Session user agent change detection
PKSA-qgw5-v9gv-s75z GHSA-m8v7-x398-pxrf
Affected version: >=3.5.0,<3.5.6|>=3.6.0,<3.6.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-005: User enumeration via timing attack on login and password reset forms
PKSA-95gt-f8d7-9gcg GHSA-g4hp-pfvf-vm5w
Affected version: >=3.5.0,<3.5.5|>=3.6.0,<3.6.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-002: Member disclosure in login form
PKSA-7nk4-stp5-bg39 GHSA-p5h2-vr99-xm99
Affected version: >=3.4.0,<3.4.6|>=3.5.0,<3.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2017-004: XSS in page history comparison
PKSA-qt6n-rv4n-mdrh GHSA-cwgq-83w5-8jfq
Affected version: >=3.4.0,<3.4.6|>=3.5.0,<3.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2017-003: XSS in RedirectorPage
PKSA-c5xx-ym8s-c3ty GHSA-vgxh-x8jv-hmff
Affected version: >=3.4.0,<3.4.6|>=3.5.0,<3.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2017-001: XSS In page name
PKSA-rnbc-t8d7-m7fs GHSA-55qg-6c4m-mw6g
Affected version: >=3.4.0,<3.4.4|>=3.5.0,<3.5.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-010: ReadOnly transformation for formfields exploitable
PKSA-j8mg-1yjt-xbcg GHSA-xpff-c35g-j3cr
Affected version: >=3.1.0,<3.1.21|>=3.2.0,<3.2.6|>=3.3.0,<3.3.4|>=3.4.0,<3.4.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-016: XSS In CMSSecurity BackURL
PKSA-k5zs-4c34-gd54 GHSA-hhvj-mcrx-3vcf
Affected version: >=3.1.0,<3.1.21|>=3.2.0,<3.2.6|>=3.3.0,<3.3.4|>=3.4.0,<3.4.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-007: VersionedRequestFilter vulnerability
PKSA-mjbz-d7yg-jtdy GHSA-mpqj-f4v3-334h
Affected version: >=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-004: XSS in CMS Edit Page
PKSA-yqcs-vchj-vdpp GHSA-97jm-g33h-f46g
Affected version: >=3.1.18,<3.1.19|>=3.2.3,<3.2.4|>=3.3.1,<3.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-006: Missing CSRF protection in login form
PKSA-pndp-7357-wkqq GHSA-pp7q-6j3f-74vj
Affected version: >=3.1.18,<3.1.19|>=3.2.3,<3.2.4|>=3.3.1,<3.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-005: Brute force bypass on default admin
PKSA-bygs-shcq-g2rt GHSA-2hpc-mf4q-j885
Affected version: >=3.1.18,<3.1.19|>=3.2.3,<3.2.4|>=3.3.1,<3.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers
PKSA-bnbw-tbzq-5ykk GHSA-r85g-7jpv-8xrx
Affected version: >=3.1.0,<=3.1.16|>=3.2.0,<=3.2.1|>3.2,<3.3.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-028: Missing security check on dev/build/defaults
PKSA-tdvc-fx4y-y9yf GHSA-4h54-vwx9-3vr3
Affected version: >=3.1.0,<=3.1.16|>=3.2.0,<=3.2.1|>3.2,<3.3.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-002: CSRF vulnerability in GridFieldAddExistingAutocompleter
PKSA-gg94-wpcm-tbtp GHSA-g84q-cq55-xwgp
Affected version: >=3.1.0,<=3.1.16|>=3.2.0,<=3.2.1|>3.2,<3.3.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-027: HtmlEditor embed url sanitisation
PKSA-7xtp-kt8p-p95z GHSA-crr3-h4m8-7f56
Affected version: >=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-026: Form field validation message XSS vulnerability
PKSA-mjkn-vqsc-z7x7 GHSA-52cx-hpc5-cxwc
Affected version: >=3.0.0,<3.1.0|>=3.1.0,<3.1.16|>=3.2.0,<3.2.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-016: XSS in install.php
PKSA-js58-hfd4-mkkf GHSA-f43j-8hq4-2xj9
Affected version: >=3.1.0,<3.1.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-015: XSS in dev/build returnURL Parameter
PKSA-k8vj-swsf-842v GHSA-r3pr-fh25-wrfc
Affected version: >=3.1.0,<3.1.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2015-013: X-Forwarded-Host request hostname injection
PKSA-9c27-c7kd-s22x GHSA-vh7q-j8p5-2h4h
Affected version: >=3.1.0,<3.1.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-014: Vulnerability on 'isDev', 'isTest' and 'flush' $_GET validation
PKSA-wt32-ns28-f45d GHSA-ph62-fv59-vf9h
Affected version: >=3.0.0,<=3.0.13|>=3.1.0,<3.1.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2015-012: External redirection risk in Security?ReturnURL
PKSA-td9q-mf48-mqpm GHSA-xx4r-5265-48j6
Affected version: >=3.0.0,<=3.0.13|>=3.1.0,<=3.1.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2015-011: Potential SQL Injection Vulnerability
PKSA-bkm6-5mwx-3kd3 GHSA-7m2v-x7rg-5hm5
Affected version: >=3.0.0,<=3.0.13|>=3.1.0,<3.1.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2016-011: ChangePasswordForm does not check Member::canLogIn()
PKSA-fcfc-m8v4-1fmz GHSA-vcg6-8fxc-x5cq
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2016-008: Password encryption salt expiry
PKSA-t56m-1ns1-fswz GHSA-f3wp-xpv2-6vmg
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled
PKSA-k578-1frj-r2p3 GHSA-mqf5-275h-gf6r
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-015: XSS In OptionsetField and CheckboxSetField
PKSA-379h-891s-2kgm GHSA-hq4p-5mpr-jj9m
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-013: Member.Name is not escaped
PKSA-fk63-8cvc-d8nr GHSA-jqp8-v74p-g8px
Affected version: >=3.1.9,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2016-012: Missing ACL on reports
PKSA-hk5w-y52r-kkfj GHSA-5f5v-5c3v-gw5v
Affected version: >=3.1.19,<3.1.20|>=3.2.4,<3.2.5|>=3.3.2,<3.3.3|>=3.4.0,<3.4.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-010: XSS in Director::force_redirect()
PKSA-4bc1-163x-xfz9 GHSA-m2hh-2m46-x6j5
Affected version: >=3.1.0,<3.1.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2015-009: XSS In rewritten hash links
PKSA-z1m7-vnpc-524q GHSA-5r8w-66hq-rc39
Affected version: >=3.0.0,<=3.0.12|>=3.1.0,<=3.1.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2014-015: IE requests not properly behaving with rewritehashlinks
PKSA-dwpn-yczp-hpvw GHSA-34q6-xqxh-gq39
Affected version: >=3.0.0,<=3.0.12|>=3.1.0,<=3.1.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] SS-2015-006: XSS In GridField print
PKSA-ypv8-3cmn-66k7 GHSA-4qx8-j9vh-2628
Affected version: >=3.1.0,<3.1.10
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-004: TreeDropdownField and TreeMultiSelectField XSS
PKSA-4b5m-tw4q-3fmq GHSA-qp29-wcc2-vmpc
Affected version: >=3.1.0,<=3.1.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2015-007: XSS In FormAction
PKSA-r8bz-4tyw-cqq7 GHSA-88jp-9jrv-6368
Affected version: >=3.1.0,<=3.1.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2014-017: XML Quadratic Blowup Attack
PKSA-xhsq-x1jb-f31d GHSA-87pf-7x99-5xc4
Affected version: >=3.1.0,<=3.1.11
Reported by:
GitHub, FriendsOfPHP/security-advisories