silverstripe/framework Security Advisories for 4.5.3 (25)
-
[MEDIUM] CVE-2025-30148 - XSS vulnerability in HTML editor
PKSA-y2dn-63zz-mp8n CVE-2025-30148 GHSA-rhx4-hvx9-j387
Affected version: <5.3.23
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SS-2025-001 - User enumeration via timing attack
PKSA-7qg6-pyzm-bc35 GHSA-256q-hx8w-xcqx
Affected version: <5.3.23
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2024-53277 - XSS in form messages
PKSA-gr7c-c3q7-zxkd CVE-2024-53277 GHSA-ff6q-3c9c-6cf5
Affected version: <5.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2024-47605 - XSS via insert media remote file oembed
PKSA-spqx-5bk6-c9yk CVE-2024-47605 GHSA-7cmp-cgg8-4c82
Affected version: <5.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message
PKSA-24rt-ffr7-cj1w GHSA-74j9-xhqr-6qv3
Affected version: <5.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload
PKSA-jndv-7cgy-xwm3 CVE-2024-32981 GHSA-chx7-9x8h-r5mg
Affected version: <5.2.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] SS-2024-001 - TinyMCE allows svg files linked in object tags
PKSA-8tf6-2hv5-c6tq GHSA-mqf3-qpc3-g26q
Affected version: <5.2.16
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-48714 Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
PKSA-vcdc-4796-kn58 CVE-2023-48714 GHSA-qm2j-qvq3-j29v
Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.13.39|>=5.0.0,<5.1.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] CVE-2023-32302 - Members with no password can be created and bypass custom login forms
PKSA-2t2m-vnwy-55q7 CVE-2023-32302 GHSA-36xx-7vf6-7mv3
Affected version: >=3.0.0,<4.13.14|>=5.0.0,<5.0.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-22729 - Open redirect vulnerability on CMSSecurity relogin screen
PKSA-hkbw-7cv6-kp2b CVE-2023-22729 GHSA-fw84-xgm8-9jmv
Affected version: >=4.0.0,<4.12.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-22728 - Missing permission check in GridFieldPrintButton
PKSA-r31r-w74j-z58p CVE-2023-22728 GHSA-jh3w-6jp2-vqqm
Affected version: >=4.0.0,<4.12.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-28803: Stored XSS in link tags added via XHR
PKSA-d1c8-bxwg-9sbf CVE-2022-28803 GHSA-rppc-655v-7j3c
Affected version: >=4.0.0,<4.10.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-25238: Stored XSS via HTML fields
PKSA-pwy1-2c1j-9m7p CVE-2022-25238 GHSA-jx34-gqqq-r6gm
Affected version: >=4.0.0,<4.10.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-41559: Quadratic blowup in Convert::xml2array()
PKSA-9b8c-khwh-k6t3 CVE-2021-41559 GHSA-9fmg-89fx-r33w
Affected version: >=4.0.0,<4.10.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] SilverStripe XXE Vulnerability in CSSContentParser
PKSA-b5cb-66pw-rz2d CVE-2020-25817 GHSA-3vjc-5x79-m9r8
Affected version: >=4.0.0,<4.7.4
Reported by:
GitHub -
[MEDIUM] Business Logic Errors in SilverStripe Framework
PKSA-7j38-hj68-r82v CVE-2022-0227 GHSA-32m2-9f76-4gv8
Affected version: <4.10.1
Reported by:
GitHub -
[MEDIUM] CVE-2022-37429 - Stored XSS using HTMLEditor
PKSA-6c76-jv2c-jdb2 CVE-2022-37429 GHSA-wc6r-4ggc-79w5
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-37430 - Stored XSS using uppercase characters in HTMLEditor
PKSA-vhcz-xnb3-24gr CVE-2022-37430 GHSA-qw4w-vq8v-2wcv
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2022-38148 - Blind SQL Injection via GridFieldSortableHeader
PKSA-66v9-dz78-mbvh CVE-2022-38148 GHSA-rr8h-f97q-8p9c
Affected version: >=4.0.0,<4.10.11|>=4.11.0,<4.11.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-38462 - Reflected XSS in querystring parameters
PKSA-w2s3-shwy-3fdb CVE-2022-38462 GHSA-vvxf-r4vm-2vm6
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-38724 - XSS in shortcodes
PKSA-nv1s-bg97-dttr CVE-2022-38724 GHSA-9cx2-hj6m-fv58
Affected version: >=4.0.0,<4.11.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2020-26138 FormField: with square brackets in field name skips validation
PKSA-pq7g-1pwh-dw3n CVE-2020-26138 GHSA-7mv4-4xpg-xq44
Affected version: >=3.0.0,<4.0.0|>=4.0.0,<4.7.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
CVE-2021-25817 XXE: Vulnerability in CSSContentParser
PKSA-pkf7-4y19-7jgw CVE-2021-25817
Affected version: >=4.0.0,<4.7.4
Reported by:
FriendsOfPHP/security-advisories -
[HIGH] CVE-2020-6164: Information disclosure on /interactive URL path
PKSA-zhcm-grw1-sw1m CVE-2020-6164 GHSA-gm5x-hpmw-xpxg
Affected version: >=4.0.0,<4.4.7|>=4.5.0,<4.5.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder
PKSA-75gp-x5bj-hcwc CVE-2019-19326 GHSA-q9ff-3q93-fm8m
Affected version: >=4.0.0,<4.4.7|>=4.5.0,<4.5.4|>=3.0.0,<3.7.5
Reported by:
GitHub, FriendsOfPHP/security-advisories