Framework

Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.

Published: 2025-04-10T13:02:22.415Z
Updated: 2025-04-10T13:34:14.930Z

Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: 2025-01-14T22:45:07.403Z
Updated: 2025-01-15T14:52:21.490Z

Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: 2024-07-17T19:36:00.563Z
Updated: 2024-08-02T02:27:53.196Z

Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.

Published: 2024-01-23T13:49:27.350Z
Updated: 2025-06-17T21:19:26.348Z

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

Published: 2023-04-26T14:00:29.716Z
Updated: 2025-01-31T16:10:21.843Z

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

Published: 2023-04-26T13:57:03.733Z
Updated: 2025-01-31T16:10:56.483Z

Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.

Published: 2022-11-22T00:00:00.000Z
Updated: 2025-04-29T04:34:39.080Z

Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.

Published: 2022-11-22T00:00:00.000Z
Updated: 2025-04-29T04:37:07.448Z

Silverstripe silverstripe/framework through 4.11 allows SQL Injection.

Published: 2022-11-21T00:00:00.000Z
Updated: 2025-04-30T15:27:22.486Z

Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3).

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T20:26:57.605Z

Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).

Published: 2022-11-21T00:00:00.000Z
Updated: 2025-04-30T15:22:56.815Z

Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 3) via remote attackers adding a Javascript payload to a page's meta description and get it executed in the versioned history compare view.

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T20:28:02.691Z

Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T20:32:29.574Z

Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters.

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T20:33:41.264Z

Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.

Published: 2022-06-28T21:39:48.000Z
Updated: 2024-08-03T04:36:06.421Z