22 matches found
EUVD-2022-7444
Malicious code in bioql PyPI...
Denial Of Service (DoS)
silverstripe/framework is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient authentication controls in the dev/build system controller, which could allow unauthorized users to trigger the dev/build process and potentially causing resource exhaustion and disrupting...
GHSA-CWGQ-83W5-8JFQ silverstripe/framework has possible denial of service attack vector when flushing
A possible denial of service attack vector has been identified in the dev/build system controller. dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments...
silverstripe/framework has possible denial of service attack vector when flushing
A possible denial of service attack vector has been identified in the dev/build system controller. dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments...
PT-2024-40251 · Packagist · Silverstripe/Framework
Name of the Vulnerable Software and Affected Versions: dev/build system controller affected versions not specified Description: A possible denial of service attack vector has been identified. The dev/build system now uses its own URL token for authentication when running outside of dev...
Cross-site Scripting (XSS)
silverstripe/framework is vulnerable to Cross-site Scripting XSS. The vulnerability is due to an unvalidated returnURL parameter in the dev/build endpoint, which can cause users to be redirected to unverified third-party URLs...
GHSA-HQ4P-5MPR-JJ9M Silverstripe XSS in dev/build returnURL Parameter
A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. This issue is resolved in framework 3.1.14 stable release...
Silverstripe XSS in dev/build returnURL Parameter
A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. This issue is resolved in framework 3.1.14 stable release...
PT-2024-40327 · Framework · Framework
Name of the Vulnerable Software and Affected Versions: framework versions prior to 3.1.14 Description: A risk exists due to an unvalidated returnURL parameter passed to dev/build, which could cause the user to redirect to an unverified third-party URL outside of the site. Recommendations: For...
CVE-2022-38462
Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request...
CVE-2022-38462
CVE-2022-38462 affects SilverStripe framework up to version 4.11.0, enabling XSS via crafted return URLs on /dev/build or /Security/login. Core issue is insufficient sanitization/escaping of user-supplied data in responses. The risk is context-dependent and requires the browser to render PHP warn...
PT-2022-24417 · Silverstripe · Silverstripe/Framework
Name of the Vulnerable Software and Affected Versions: Silverstripe silverstripe/framework versions 4.11 and earlier Description: The issue allows an attacker to inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a "/dev/build" or "/Security/login" request. ...
Malicious code in wb-dev-build-settings (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f5b5cbbf6264d12fe4081a448996f9e5fc60597841f5b76b38308c4b24e82ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-7050 Malicious code in wb-dev-build-settings (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f5b5cbbf6264d12fe4081a448996f9e5fc60597841f5b76b38308c4b24e82ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in code-oss-dev-build1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b65930836996ae35d0c2c41c28426c97cd1b2bb8eda37b966b527b177ceea85f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-1967 Malicious code in code-oss-dev-build (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 456f94eeaa17d4db11b05a4eff73593023d7da49fd6cd24c043620da98c18616 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
GHSA-FH35-P8PH-P545 Silverstripe CMS Open Redirect
Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build...
@ckeditor/ckeditor5-dev-lint (>=1.0.0 <=2.0.3), @code_monk/hak-cli (>=1.0.6 <=1.0.9) +364 more potentially affected by CVE-2020-7751 via pathval (>=0.0.1 <=1.1.0)
pathval NPM version =0.0.1, =1.0.0, =1.0.6, =1.0.4, =2.0.3, =1.0.8, =1.0.3, =1.0.7, =2.0.3, =3.1.2, =1.0.3, =0.0.1, =0.1.0, =0.2.0 - @nwetzel/modern-web-dev-build =0.6.0 and more Source cves: CVE-2020-7751 Source advisory: OSV:GHSA-G6WW-V8XP-VMWG...
@qbunnyteam/superlogin (>=0.0.3 <=0.0.4), @sensu/superlogin (>=1.2.2 <=1.2.6) +16 more potentially affected by CVE-2020-7673 via node-extend (=0.2.0)
node-extend NPM version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on node-extend and may be impacted: - @qbunnyteam/superlogin =0.0.3, =1.2.2, =0.1.0, =0.1.0, =0.0.0, =0.2.0, =4.1.4, =1.1.0, =1.4.1 and more Source cves: CVE-2020-7673 Source...
SS-2015-028: Missing security check on dev/build/defaults
More info at https://www.silverstripe.org/download/security-releases/ss-2015-028/...