silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required…

CVSS: 7.5 · CWE: CWE-400

View on NVD

`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4…

CVSS: 7.5 · CWE: CWE-770

View on NVD

Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions.

CVSS: 7.5 · CWE: CWE-732

View on NVD

Silverstripe silverstripe/framework through 4.11 allows SQL Injection.

CVSS: 8.8 · CWE: CWE-89

View on NVD

Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also…

CVSS: 8.8 · CWE: CWE-434

View on NVD

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As…

CVSS: 7.5 · CWE: N/A

View on NVD

In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is installed and enabled by default on the Common Web Platform (CWP). The vulnerability only affects files…

CVSS: 7.5 · CWE: CWE-434

View on NVD

In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,

CVSS: 8.8 · CWE: CWE-352

View on NVD

In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.

CVSS: 9.8 · CWE: N/A

View on NVD

SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2.1 allows attackers to execute arbitrary SQL commands.

CVSS: 9.8 · CWE: CWE-89

View on NVD

All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versions of SilverStripe 4 prior to 4.0.7, 4.1.5, 4.2.4, and 4.3.1 allows Reflected SQL Injection through Form and DataObject.

CVSS: 9.8 · CWE: CWE-89

View on NVD

SQL injection vulnerability in the Folder::findOrMake method in SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 · CWE: CWE-89

View on NVD

SQL injection vulnerability in SilverStripe before 2.2.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to AjaxUniqueTextField.

CVSS: 7.5 · CWE: CWE-89

View on NVD

SQL injection vulnerability in File::find (filesystem/File.php) in SilverStripe before 2.3.1 allows remote attackers to execute arbitrary SQL commands via the filename parameter.

CVSS: 7.5 · CWE: CWE-89

View on NVD

Unspecified vulnerability in the search functionality in SilverStripe 2.0.0 has unknown impact and attack vectors.

CVSS: 10.0 · CWE: N/A

View on NVD