7 matches found
GHSA-M2HH-2M46-X6J5 silverstripe/framework may disclose database credentials during connection failure
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details. We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur...
silverstripe/framework may disclose database credentials during connection failure
When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details. We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur...
silverstripe/framework allows upload of dangerous file types
Some potentially dangerous file types exist in File.allowedextensions which could allow a malicious CMS user to upload files that then get executed in the security context of the website. We have removed the ability to upload .css, .js, .potm, .dotm, .xltm and .jar files in the default...
PT-2024-40472 · Silverstripe · Silverstripe
Name of the Vulnerable Software and Affected Versions: SilverStripe 4 affected versions not specified Description: The issue concerns potentially dangerous file types in the File.allowed extensions configuration, which could allow a malicious CMS user to upload files that get executed in the...
GHSA-9FMG-89FX-R33W Quadratic blowup in Convert::xml2array()
Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array that enables a remote attack via a crafted XML document...
CVE-2019-5715
All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject...
SS-2017-008: SQL injection in full text search of SilverStripe 4
More info at https://www.silverstripe.org/download/security-releases/ss-2017-008/...