Search criteria
12 vulnerabilities found for silverstripe-framework by silverstripe
CVE-2025-30148 (GCVE-0-2025-30148)
Vulnerability from cvelistv5 – Published: 2025-04-10 13:02 – Updated: 2025-04-10 13:34
VLAI?
Title
Silverstripe Framework has a XSS vulnerability in HTML editor
Summary
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 5.3.23
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:34:01.603624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:34:14.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 5.3.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn\u0027t catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:02:22.415Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2025-30148",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2025-30148"
}
],
"source": {
"advisory": "GHSA-rhx4-hvx9-j387",
"discovery": "UNKNOWN"
},
"title": "Silverstripe Framework has a XSS vulnerability in HTML editor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30148",
"datePublished": "2025-04-10T13:02:22.415Z",
"dateReserved": "2025-03-17T12:41:42.565Z",
"dateUpdated": "2025-04-10T13:34:14.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53277 (GCVE-0-2024-53277)
Vulnerability from cvelistv5 – Published: 2025-01-14 22:45 – Updated: 2025-01-15 14:52
VLAI?
Title
Cross-site Scripting in form messages in silverstripe framework
Summary
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 5.3.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:52:17.681845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:52:21.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 5.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn\u0027t get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T22:45:07.403Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2024-53277",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2024-53277"
}
],
"source": {
"advisory": "GHSA-ff6q-3c9c-6cf5",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in form messages in silverstripe framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53277",
"datePublished": "2025-01-14T22:45:07.403Z",
"dateReserved": "2024-11-19T20:08:14.484Z",
"dateUpdated": "2025-01-15T14:52:21.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32981 (GCVE-0-2024-32981)
Vulnerability from cvelistv5 – Published: 2024-07-17 19:36 – Updated: 2024-08-02 02:27
VLAI?
Title
Cross-site Scripting vulnerability with encoded payload in silverstripe/framework
Summary
Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 5.2.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:18:39.317587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:18:50.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2024-32981",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2024-32981"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn\u0027t catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T19:36:00.563Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2024-32981",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2024-32981"
}
],
"source": {
"advisory": "GHSA-chx7-9x8h-r5mg",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability with encoded payload in silverstripe/framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32981",
"datePublished": "2024-07-17T19:36:00.563Z",
"dateReserved": "2024-04-22T15:14:59.167Z",
"dateUpdated": "2024-08-02T02:27:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48714 (GCVE-0-2023-48714)
Vulnerability from cvelistv5 – Published: 2024-01-23 13:49 – Updated: 2025-06-17 21:19
VLAI?
Title
Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Summary
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 4.13.39
Affected: >= 5.0.0, < 5.1.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v"
},
{
"name": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T23:32:05.618883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:26.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 4.13.39"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.1.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record\u0027s title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T13:49:27.350Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v"
},
{
"name": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714"
}
],
"source": {
"advisory": "GHSA-qm2j-qvq3-j29v",
"discovery": "UNKNOWN"
},
"title": "Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48714",
"datePublished": "2024-01-23T13:49:27.350Z",
"dateReserved": "2023-11-17T19:43:37.555Z",
"dateUpdated": "2025-06-17T21:19:26.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22729 (GCVE-0-2023-22729)
Vulnerability from cvelistv5 – Published: 2023-04-26 14:00 – Updated: 2025-01-31 16:10
VLAI?
Title
Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen
Summary
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 4.12.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T16:10:14.959836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T16:10:21.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 4.12.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T14:00:29.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77"
}
],
"source": {
"advisory": "GHSA-fw84-xgm8-9jmv",
"discovery": "UNKNOWN"
},
"title": "Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22729",
"datePublished": "2023-04-26T14:00:29.716Z",
"dateReserved": "2023-01-06T14:21:05.891Z",
"dateUpdated": "2025-01-31T16:10:21.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22728 (GCVE-0-2023-22728)
Vulnerability from cvelistv5 – Published: 2023-04-26 13:57 – Updated: 2025-01-31 16:10
VLAI?
Title
Silverstripe Framework has missing permission check of canView in GridFieldPrintButton
Summary
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 4.12.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T16:10:52.423986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T16:10:56.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 4.12.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T13:57:03.733Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58"
}
],
"source": {
"advisory": "GHSA-jh3w-6jp2-vqqm",
"discovery": "UNKNOWN"
},
"title": "Silverstripe Framework has missing permission check of canView in GridFieldPrintButton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22728",
"datePublished": "2023-04-26T13:57:03.733Z",
"dateReserved": "2023-01-06T14:21:05.890Z",
"dateUpdated": "2025-01-31T16:10:56.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30148 (GCVE-0-2025-30148)
Vulnerability from nvd – Published: 2025-04-10 13:02 – Updated: 2025-04-10 13:34
VLAI?
Title
Silverstripe Framework has a XSS vulnerability in HTML editor
Summary
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 5.3.23
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:34:01.603624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:34:14.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 5.3.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn\u0027t catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:02:22.415Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2025-30148",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2025-30148"
}
],
"source": {
"advisory": "GHSA-rhx4-hvx9-j387",
"discovery": "UNKNOWN"
},
"title": "Silverstripe Framework has a XSS vulnerability in HTML editor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30148",
"datePublished": "2025-04-10T13:02:22.415Z",
"dateReserved": "2025-03-17T12:41:42.565Z",
"dateUpdated": "2025-04-10T13:34:14.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53277 (GCVE-0-2024-53277)
Vulnerability from nvd – Published: 2025-01-14 22:45 – Updated: 2025-01-15 14:52
VLAI?
Title
Cross-site Scripting in form messages in silverstripe framework
Summary
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 5.3.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:52:17.681845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:52:21.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 5.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn\u0027t get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T22:45:07.403Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2024-53277",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2024-53277"
}
],
"source": {
"advisory": "GHSA-ff6q-3c9c-6cf5",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in form messages in silverstripe framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53277",
"datePublished": "2025-01-14T22:45:07.403Z",
"dateReserved": "2024-11-19T20:08:14.484Z",
"dateUpdated": "2025-01-15T14:52:21.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32981 (GCVE-0-2024-32981)
Vulnerability from nvd – Published: 2024-07-17 19:36 – Updated: 2024-08-02 02:27
VLAI?
Title
Cross-site Scripting vulnerability with encoded payload in silverstripe/framework
Summary
Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 5.2.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:18:39.317587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:18:50.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2024-32981",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2024-32981"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 5.2.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn\u0027t catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T19:36:00.563Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1"
},
{
"name": "https://www.silverstripe.org/download/security-releases/cve-2024-32981",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/cve-2024-32981"
}
],
"source": {
"advisory": "GHSA-chx7-9x8h-r5mg",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability with encoded payload in silverstripe/framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32981",
"datePublished": "2024-07-17T19:36:00.563Z",
"dateReserved": "2024-04-22T15:14:59.167Z",
"dateUpdated": "2024-08-02T02:27:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48714 (GCVE-0-2023-48714)
Vulnerability from nvd – Published: 2024-01-23 13:49 – Updated: 2025-06-17 21:19
VLAI?
Title
Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Summary
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 4.13.39
Affected: >= 5.0.0, < 5.1.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v"
},
{
"name": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T23:32:05.618883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:26.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 4.13.39"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.1.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record\u0027s title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T13:49:27.350Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v"
},
{
"name": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silverstripe.org/download/security-releases/CVE-2023-48714"
}
],
"source": {
"advisory": "GHSA-qm2j-qvq3-j29v",
"discovery": "UNKNOWN"
},
"title": "Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48714",
"datePublished": "2024-01-23T13:49:27.350Z",
"dateReserved": "2023-11-17T19:43:37.555Z",
"dateUpdated": "2025-06-17T21:19:26.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22729 (GCVE-0-2023-22729)
Vulnerability from nvd – Published: 2023-04-26 14:00 – Updated: 2025-01-31 16:10
VLAI?
Title
Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen
Summary
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 4.12.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T16:10:14.959836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T16:10:21.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 4.12.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T14:00:29.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77"
}
],
"source": {
"advisory": "GHSA-fw84-xgm8-9jmv",
"discovery": "UNKNOWN"
},
"title": "Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22729",
"datePublished": "2023-04-26T14:00:29.716Z",
"dateReserved": "2023-01-06T14:21:05.891Z",
"dateUpdated": "2025-01-31T16:10:21.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22728 (GCVE-0-2023-22728)
Vulnerability from nvd – Published: 2023-04-26 13:57 – Updated: 2025-01-31 16:10
VLAI?
Title
Silverstripe Framework has missing permission check of canView in GridFieldPrintButton
Summary
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| silverstripe | silverstripe-framework |
Affected:
< 4.12.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T16:10:52.423986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T16:10:56.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "silverstripe-framework",
"vendor": "silverstripe",
"versions": [
{
"status": "affected",
"version": "\u003c 4.12.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T13:57:03.733Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm"
},
{
"name": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58"
}
],
"source": {
"advisory": "GHSA-jh3w-6jp2-vqqm",
"discovery": "UNKNOWN"
},
"title": "Silverstripe Framework has missing permission check of canView in GridFieldPrintButton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22728",
"datePublished": "2023-04-26T13:57:03.733Z",
"dateReserved": "2023-01-06T14:21:05.890Z",
"dateUpdated": "2025-01-31T16:10:56.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}