EUVD-2019-0155

Malware in sbrugna...

EUVD-2021-27813

Malicious code in bioql PyPI...

CVE-2024-27915

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The...

CVE-2020-19147

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder' function in the component '/modules/filemanager/FileManager.java'...

CVE-2025-46720

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

Cross Site Scripting (XSS)

Silverstripe framework is vulnerable to Cross Site Scripting XSS. The vulnerability is due to inadequate server-side sanitization of encoded payloads within the file HTMLEditorSanitiser.php, allowing attackers with CMS content editing access to inject JavaScript payloads onto the site's front end...

Cross-Site Request Forgery (CSRF)

silverstripe/framework is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to a lack of proper CSRF token verification in gridFieldAlterAction submissions, which allows attackers to trick users with CMS access into posting unspecified data from external websites...

Silverstripe CSRF vulnerability in GridFieldAddExistingAutocompleter

GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS...

GHSA-88JP-9JRV-6368 Silverstripe XSS In GridField print

A cross-site scripting vulnerability has been discovered in the print view of GridField. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any field of an object in a GridField, and the print feature is used. This has been resolved by...

Silverstripe XSS In GridField print

A cross-site scripting vulnerability has been discovered in the print view of GridField. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any field of an object in a GridField, and the print feature is used. This has been resolved by...

Silverstripe XSS in TreeDropdownField and TreeMultiSelectField

A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields. This...

PT-2024-40189 · Silverstripe · Silverstripe Gridfield

Name of the Vulnerable Software and Affected Versions: Silverstripe GridField affected versions not specified Description: A cross-site scripting issue has been found in the print view of GridField. This can be exploited if a user with CMS access posts malicious or unescaped HTML into any field o...

Silverstripe SiteTree Creation Permission Vulnerability

A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system. This vulnerability will allow users, or unauthenticated guests, to...

GHSA-3MM9-2P44-RW39 Silverstripe SiteTree Creation Permission Vulnerability

A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system. This vulnerability will allow users, or unauthenticated guests, to...

Silverstripe XSS vulnerability via VirtualPage

A cross-site scripting vulnerability has been discovered in the VirtualPage class. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the textfields of a page which a VirtualPage refers to. This has been resolved by ensuring that...

SQL Injection

silverstripe/framework is vulnerable to SQL Injection. The vulnerability exists in the getManipulatedData function in GridFieldSortableHeader.php where an attacker with cms access could execute an arbitrary sql statements...

GHSA-66JF-XM2M-7M8R Stored XSS in Compare Mode

A malicious content author could add a Javascript payload to a page's meta description and get it executed in the versioned history compare view. This vulnerability requires access to the CMS to be deployed. The attacker must then convince a privileged user to access the version history for that...

GHSA-RR8H-F97Q-8P9C Blind SQL Injection via GridFieldSortableHeader

Gridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability. An attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state...

GHSA-PP74-G2Q5-J4JF Silverstipe CMS Stored XSS in custom meta tags

A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut. This requires CMS access to exploit...

PT-2022-23993 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: Silverstripe silverstripe/framework versions through 4.11 Description: The issue allows for XSS via a JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters. A malicious content author cou...