EUVD-2022-7444

Malicious code in bioql PyPI...

Denial Of Service (DoS)

silverstripe/framework is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient authentication controls in the dev/build system controller, which could allow unauthorized users to trigger the dev/build process and potentially causing resource exhaustion and disrupting...

silverstripe/framework has possible denial of service attack vector when flushing

A possible denial of service attack vector has been identified in the dev/build system controller. dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments...

GHSA-CWGQ-83W5-8JFQ silverstripe/framework has possible denial of service attack vector when flushing

A possible denial of service attack vector has been identified in the dev/build system controller. dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments...

PT-2024-40251 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: dev/build system controller affected versions not specified Description: A possible denial of service attack vector has been identified. The dev/build system now uses its own URL token for authentication when running outside of dev...

Cross-site Scripting (XSS)

silverstripe/framework is vulnerable to Cross-site Scripting XSS. The vulnerability is due to an unvalidated returnURL parameter in the dev/build endpoint, which can cause users to be redirected to unverified third-party URLs...

Silverstripe XSS in dev/build returnURL Parameter

A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. This issue is resolved in framework 3.1.14 stable release...

GHSA-HQ4P-5MPR-JJ9M Silverstripe XSS in dev/build returnURL Parameter

A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. This issue is resolved in framework 3.1.14 stable release...

PT-2024-40327 · Framework · Framework

Name of the Vulnerable Software and Affected Versions: framework versions prior to 3.1.14 Description: A risk exists due to an unvalidated returnURL parameter passed to dev/build, which could cause the user to redirect to an unverified third-party URL outside of the site. Recommendations: For...

CVE-2022-38462

Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request...

CVE-2022-38462

CVE-2022-38462 affects SilverStripe framework up to version 4.11.0, enabling XSS via crafted return URLs on /dev/build or /Security/login. Core issue is insufficient sanitization/escaping of user-supplied data in responses. The risk is context-dependent and requires the browser to render PHP warn...

PT-2022-24417 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: Silverstripe silverstripe/framework versions 4.11 and earlier Description: The issue allows an attacker to inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a "/dev/build" or "/Security/login" request. ...

Malicious code in wb-dev-build-settings (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f5b5cbbf6264d12fe4081a448996f9e5fc60597841f5b76b38308c4b24e82ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-7050 Malicious code in wb-dev-build-settings (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f5b5cbbf6264d12fe4081a448996f9e5fc60597841f5b76b38308c4b24e82ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in code-oss-dev-build1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b65930836996ae35d0c2c41c28426c97cd1b2bb8eda37b966b527b177ceea85f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-1967 Malicious code in code-oss-dev-build (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 456f94eeaa17d4db11b05a4eff73593023d7da49fd6cd24c043620da98c18616 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-FH35-P8PH-P545 Silverstripe CMS Open Redirect

Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build...

@ckeditor/ckeditor5-dev-lint (>=1.0.0 <=2.0.3), @code_monk/hak-cli (>=1.0.6 <=1.0.9) +364 more potentially affected by CVE-2020-7751 via pathval (>=0.0.1 <=1.1.0)

pathval NPM version =0.0.1, =1.0.0, =1.0.6, =1.0.4, =2.0.3, =1.0.8, =1.0.3, =1.0.7, =2.0.3, =3.1.2, =1.0.3, =0.0.1, =0.1.0, =0.2.0 - @nwetzel/modern-web-dev-build =0.6.0 and more Source cves: CVE-2020-7751 Source advisory: OSV:GHSA-G6WW-V8XP-VMWG...

@qbunnyteam/superlogin (>=0.0.3 <=0.0.4), @sensu/superlogin (>=1.2.2 <=1.2.6) +16 more potentially affected by CVE-2020-7673 via node-extend (=0.2.0)

node-extend NPM version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on node-extend and may be impacted: - @qbunnyteam/superlogin =0.0.3, =1.2.2, =0.1.0, =0.1.0, =0.0.0, =0.2.0, =4.1.4, =1.1.0, =1.4.1 and more Source cves: CVE-2020-7673 Source...

SS-2015-028: Missing security check on dev/build/defaults

More info at https://www.silverstripe.org/download/security-releases/ss-2015-028/...