Lucene search
+L

212 matches found

OSV
OSV
added 2024/05/27 6:53 p.m.11 views

GHSA-5R8W-66HQ-RC39 silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users...

3.1CVSS7AI score
Exploits0References7
Github Security Blog
Github Security Blog
added 2024/05/27 6:53 p.m.11 views

silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users...

7AI score
Exploits0References7Affected Software1
OSV
OSV
added 2024/05/27 6:44 p.m.15 views

GHSA-52CX-HPC5-CXWC silverstripe/framework missing ACL on reports

The SSReport, and the reports CMS section only checks canView when listing the reports that can be viewed by the current user. It does not and should perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the...

4.3CVSS7AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/05/27 6:36 p.m.11 views

silverstripe/framework ChangePasswordForm does not check `Member::canLogIn()`

After performing a password reset, ChangePasswordForm::doChangePassword logs in the user without checking Member::canLogIn. This presents an issue for sites that are using the extension point in that method to deny access to users for example members that have not been “approved”, or members that...

7.2AI score
Exploits0References7Affected Software1
OSV
OSV
added 2024/05/27 6:33 p.m.7 views

GHSA-F3WP-XPV2-6VMG silverstripe/framework password encryption salt not updated

When a user changes their password, the internal salt used for hashing their password is not updated. Although this is not considered a security vulnerability, this behaviour has been improved to ensure the salt is reset on change of password...

7.2AI score
Exploits0References7
Veracode
Veracode
added 2024/05/27 1:44 p.m.11 views

Improper URL Sanitization

silverstripe/framework is vulnerable to Improper URL Sanitization. The vulnerability is due to a lack of server-side URL sanitization in the "Add from URL" function, allowing potentially dangerous URLs to be processed...

7AI score
Exploits0
Veracode
Veracode
added 2024/05/27 8:35 a.m.14 views

Open Redirect

silverstripe/framework is vulnerable to Open Redirect. The vulnerability is due to improper handling of login URLs, allowing attackers to redirect successful logins to external sites...

7AI score
Exploits0
Veracode
Veracode
added 2024/05/27 8:22 a.m.15 views

Cross Site Scripting (XSS)

silverstripe/framework is vulnerable to Cross Site Scripting. The vulnerability is due to a lack of adminusername and adminpassword sanitation within the setup form...

7AI score
Exploits0
Veracode
Veracode
added 2024/05/27 7:44 a.m.12 views

Cross-site Scripting(XSS)

silverstripe/framework is vulnerable to Cross-site Scripting XSS. The vulnerability is caused due to the lack of proper sanitization or encoding of user-input data when it is displayed in TreeDropdownField and TreeMultiSelectField, which allows an attacker to execute malicious JavaScript code...

6.8AI score
Exploits0
Veracode
Veracode
added 2024/05/27 7:23 a.m.9 views

Cross-site Scripting (XSS)

silverstripe/framework is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper encoding of validation messages in certain FormField classes, which can present invalid content as part of the validation response resulting in XSS...

6.7AI score
Exploits0
Veracode
Veracode
added 2024/05/27 5:24 a.m.7 views

Cross-Site Scripting (XSS)

silverstripe/framework is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of parameter sanitization, allowing the injection of arbitrary HTML through crafted URLs...

6.6AI score
Exploits0
Veracode
Veracode
added 2024/05/27 4:3 a.m.11 views

Cross-Site Request Forgery (CSRF)

silverstripe/framework is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to a lack of proper CSRF token verification in gridFieldAlterAction submissions, which allows attackers to trick users with CMS access into posting unspecified data from external websites...

7.1AI score
Exploits0
Positive Technologies
Positive Technologies
added 2024/05/27 12:0 a.m.3 views

PT-2024-40363 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: A maliciously crafted URL can bypass the offsite redirection protection for BackURL parameters, potentially leading to users entering sensitive data on malicious websites instead of the...

7.5CVSS6.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2024/05/27 12:0 a.m.3 views

PT-2024-40391 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: The issue arises after a password reset, where the ChangePasswordForm::doChangePassword function logs in the user without checking Member::canLogIn. This...

4.3CVSS7.1AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 2024/05/27 12:0 a.m.4 views

PT-2024-40322 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: silverstripe/framework affected versions not specified Description: The issue concerns an XSS vulnerability in the Page name of silverstripe/framework. It can be triggered by a payload such as ", which results in an XSS alert. Recommendations...

6.1CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2024/05/27 12:0 a.m.3 views

PT-2024-40165 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: The issue allows user enumeration through a timing attack on the login or password reset pages using user credentials. Recommendations: At the moment, there is no information about ...

7.2AI score
Exploits0References5
OSV
OSV
added 2024/05/23 7:50 p.m.28 views

GHSA-97JM-G33H-F46G silverstripe/framework ReadOnly transformation for formfields exploitable

Form fields returning isReadonly as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeFieldReadonly. Values submitted to through these form fields are not filtered out from the form session data...

6.1CVSS6.1AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/05/23 5:27 p.m.18 views

Silverstripe framework is vulnerable to XSS in install.php

During installation, certain parameters adminusername and adminpassword are not escaped in the setup form. This issue is resolved in 3.1.14 stable, although existing users are advised to remove this file prior to deploying to a production server...

6.9AI score
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2024/05/23 12:0 a.m.4 views

PT-2024-40204 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned Description: The issue concerns default Administrator accounts not having the same brute force protection as other Member accounts. Specifically, failed login counts were not logged for default admin...

9.1CVSS7AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2024/05/23 12:0 a.m.3 views

PT-2024-40280 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: SilverStripe framework affected versions not specified Description: A low-level issue has been found in the framework, where the Quadratic Blowup Attack could potentially be exploited to affect the performance of a site. Recommendations: At t...

5.3CVSS6.8AI score
Exploits0References5
Rows per page
Query Builder