silverstripe/framework vulnerabilities

Known vulnerabilities in the silverstripe/framework package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS)	<5.3.8
M Cross-site Scripting (XSS)	<5.3.8
M Cross-site Scripting (XSS)	<5.3.8
M Cross-site Scripting (XSS)	<5.2.16
H SQL Injection	>=4.0.0-rc1, <4.0.6>=4.1.0-rc1, <4.1.4>=4.2.0-rc1, <4.2.3
M Information Exposure Through an Error Message	>=3.7.0-rc1, <3.7.1>=4.0.0-rc1, <4.0.5>=4.1.0-rc1, <4.1.3>=4.2.0-rc1, <4.2.2
L Information Exposure	>=3.5.5-rc1, <3.7.0>=4.0.3-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
H Unrestricted Upload of File with Dangerous Type	>=3.6.5-rc1, <3.6.6>=4.0.3-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
M Information Exposure	>=4.0.0-rc1, <4.0.4>=4.1.0rc1, <4.1.1
H Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	>=4.0.3-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
H URL Redirection to Untrusted Site ('Open Redirect')	>=4.0.0-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
M Privilege Escalation	>=3.5.7-rc1, <3.5.8>=3.6.0-rc1, <3.6.6>=4.0.0-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
M Information Exposure	>=4.0.0-rc1, <4.0.1
H Missing Encryption of Sensitive Data	>=3.5.0-rc1, <3.5.6>=3.6.0-rc1, <3.6.3>=4.0.0-rc1, <4.0.1
H SQL Injection	>=3.5.0-rc1, <3.5.6>=3.6.0-rc1, <3.6.3>=4.0.0-rc1, <4.0.1
H Session Fixation	>=3.5.0-rc1, <3.5.6>=3.6.0-rc1, <3.6.3
M Cross-site Scripting (XSS)	>=3.4.0-rc1, <3.4.6>=3.5.0-rc1, <3.5.4
M Cross-site Scripting (XSS)	>=3.4.0-rc1, <3.4.6>=3.5.0-rc1, <3.5.4
M Information Exposure	>=3.4.0-rc1, <3.4.6>=3.5.0-rc1, <3.5.4
M Cross-site Scripting (XSS)	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
M Cross-site Scripting (XSS)	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
M Cross-site Scripting (XSS)	>=3.1.0-rc1, <3.1.21>=3.2.0-rc1, <3.2.6>=3.3.0-rc1, <3.3.4>=3.4.0-rc1, <3.4.2
M Cross-site Scripting (XSS)	>=3.4.0-rc1, <3.4.4>=3.5.0-rc1, <3.5.2
L Insufficient Session Expiration	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
M Cross-site Scripting (XSS)	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
M Improper Authentication	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
M Missing Authorization	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
L Use of a One-Way Hash without a Salt	>=3.1.19-rc1, <3.1.20>=3.2.4-rc1, <3.2.5>=3.3.2-rc1, <3.3.3>=3.4.0-rc1, <3.4.1
M Improper Input Validation	>=4.0.0-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
M Information Exposure	>=4.0.0-rc1, <4.0.4>=4.1.0-rc1, <4.1.1
M Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	<3.5.6>=3.6.0, <3.6.3>=4.0.0, <4.0.1
M Information Exposure	>=3.0.0, <4.13.39>=5.0.0, <5.1.11
M Open Redirect	<3.1.14
M Weak Password Requirements	<4.13.14>=5.0.0, <5.0.13
M Insecure Permissions	>=4.0.0, <4.12.5
M Open Redirect	>=4.0.0, <4.12.5
M Cross-site Scripting (XSS)	>=3.0.0, <4.11.13
M Cross-site Scripting (XSS)	>=3.0.0, <4.11.13
H SQL Injection	>=3.0.0, <4.10.11>=4.11.0, <4.11.14
M Cross-site Scripting (XSS)	>=3.0.0, <4.11.13
M Cross-site Scripting (XSS)	>=4.0.0, <4.11.13
M Denial of Service (DoS)	<4.10.9
M Cross-site Scripting (XSS)	<4.10.9
M Cross-site Scripting (XSS)	<4.10.9
L Improper Input Validation	>=4.8.0-beta1, <4.8.0>=3.0.0, <4.7.4
L XML External Entity (XXE) Injection	>=4.8.0-beta1, <4.8.0<4.7.4
M Cache Poisoning	>=4.0.0, <4.4.7>=4.5.0, <4.5.4>=3.0.0, <3.7.5
M Cross-site Scripting (XSS)	>=3.0.0, <3.7.5
M Information Exposure	<4.4.6>=4.5.0, <4.5.3
H Cross-site Scripting (XSS)	>=4.4.0, <4.4.5>=4.5.0, <4.5.2
C Cross-site Scripting (XSS)	>=3.1.18, <3.1.19>=3.2.3, <3.2.4>=3.3.1, <3.3.2
L Improper Restriction of Excessive Authentication Attempts	>=3.1.18, <3.1.19>=3.2.3, <3.2.4>=3.3.1, <3.3.2
M Information Exposure	>=4.0.0, <4.0.4>=4.1.0, <4.1.1
H Privilege Escalation	>=3.5.7, <3.5.8>=3.6.0, <3.6.6>=4.0.0, <4.0.4>=4.1.0, <4.1.1
M Session Hijacking	>=3.5.0, <3.5.6>=3.6.0, <3.6.3
M Information Exposure	>=4.0.0, <4.0.4
C Open Redirect	>=4.0.0, <4.0.4
H Cross-site Scripting (XSS)	<3.4.4>=3.5.0, <3.5.2
H Cross-site Scripting (XSS)	<3.4.6>=3.5.0, <3.5.4
H Cross-site Scripting (XSS)	<3.4.6>=3.5.0, <3.5.4
H Cross-site Scripting (XSS)	>=3.1.19, <3.1.20>=3.2.4, <3.2.5>=3.3.2, <3.3.3>=3.4.0, <3.4.1
H Cross-site Scripting (XSS)	>=3.1.18, <3.1.19>=3.2.3, <3.2.4>=3.3.1, <3.3.2
H Denial of Service (DoS)	>=4.0.0, <4.0.5>=4.1.0, <4.1.3>=4.2.0, <4.2.2
H Cross-site Scripting (XSS)	>=3.3.2, <3.3.3>=3.4.0, <3.4.1
M Cross-site Scripting (XSS)	>=4.0.0, <4.3.5>=4.4.0, <4.4.4
C Cross-site Scripting (XSS)	>=3.1.9, <3.1.20>=3.2.4, <3.2.5>=3.3.2, <3.3.3>=3.4.0, <3.4.1
H Cross-site Scripting (XSS)	>=3.1.0, <3.1.21>=3.2.0, <3.2.6>=3.3.0, <3.3.4>=3.4.0, <3.4.2
C Unrestricted Upload	>=3.6.5, <3.6.6>=4.0.3, <4.0.4>=4.1.0, <4.1.1
H Information Exposure	>=3.5.0, <3.5.5>=3.6.0, <3.6.2
M Improper Authentication	>=3.1.19, <3.1.20>=3.2.4, <3.2.5>=3.3.2, <3.3.3>=3.4.0, <3.4.1
M Cross-site Scripting (XSS)	>=3.0.0, <4.3.5>=4.4.0, <4.4.4
M Improper Access Control	>=3.1.19, <3.1.20>=3.2.4, <3.2.5>=3.3.2, <3.3.3>=3.4.0, <3.4.1
C Information Exposure	>=4.0.0, <4.0.1
C SQL Injection	<3.5.6>=3.6.0, <3.6.3>=4.0.0, <4.0.1
H Cross-site Request Forgery (CSRF)	>=3.1.18, <3.1.19>=3.2.3, <3.2.4>=3.3.1, <3.3.2
M Information Exposure	>=3.4.0, <3.4.6>=3.5.0, <3.5.4
H Arbitrary Code Execution	>=4.0.3, <4.0.4>=4.1.0, <4.1.1
M Information Exposure	>=3.7.0, <3.7.1>=4.0.0, <4.0.5>=4.1.0, <4.1.3>=4.2.0, <4.2.2
H CSV Injection	>=3.5.0, <3.5.6>=3.6.0, <3.6.3>=4.0.0, <4.0.1
M Improper Access Control	>=4.4.0, <4.4.4>=4.3.0, <4.3.6
C Incorrect Access Control	>=4.1.0, <4.3.6>=4.4.0, <4.4.4
L Session Fixation	>=3.6.0, <3.6.8>=3.7.0, <3.7.4>=4.3.0, <4.3.6>=4.4.0, <4.4.4
M Denial of Service (DoS)	>=4.0.0, <4.4.0
H SQL Injection	>=3.6.0, <3.6.7>=3.7.0, <3.7.3>=4.0.0, <4.0.7>=4.1.0, <4.1.5>=4.2.0, <4.2.4>=4.3.0, <4.3.1
M Access Restriction Bypass	<2.3.10>=2.4.0, <2.4.4
M IP and Protocol Spoofing	<3.1.17>=3.2.0, <3.2.2>=3.3-alpha, <3.3.0
L Access Restriction Bypass	<3.1.17>=3.2.0, <3.2.2>=3.3-alpha, <3.3.0
M Cross-site Request Forgery (CSRF)	<3.1.17>=3.2.0, <3.2.2>=3.3-alpha, <3.3.0
L Cross-site Scripting (XSS)	<3.2.1
M Cross-site Scripting (XSS)	<3.1.16>=3.2.0, <3.2.1
M Cross-site Scripting (XSS)	<3.1.14
M Cross-site Scripting (XSS)	<3.1.14
M HTTP Hostname Injection	<3.1.13
M Access Restriction Bypass	>=3.1.0, <3.1.13<3.0.14
M Open Redirect	>=3.1.0, <3.1.13<3.0.14
M SQL Injection	>=3.1.0, <3.1.13<3.0.14
M Cross-site Scripting (XSS)	<3.1.12
M Cross-site Scripting (XSS)	>=3.1.0, <3.1.12<3.0.13
H Arbitrary Code Injection	>=3.1.0, <3.1.12<3.0.13
M Cross-site Scripting (XSS)	<3.1.10
M Cross-site Scripting (XSS)	<3.1.10
M Cross-site Scripting (XSS)	<3.1.10
L Quadratic Blowup Attack	<3.1.12

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

<5.3.8

Cross-site Scripting (XSS)

<5.3.8

Cross-site Scripting (XSS)

<5.3.8

Cross-site Scripting (XSS)

<5.2.16

SQL Injection

>=4.0.0-rc1, <4.0.6>=4.1.0-rc1, <4.1.4>=4.2.0-rc1, <4.2.3

Information Exposure Through an Error Message

>=3.7.0-rc1, <3.7.1>=4.0.0-rc1, <4.0.5>=4.1.0-rc1, <4.1.3>=4.2.0-rc1, <4.2.2

Information Exposure

>=3.5.5-rc1, <3.7.0>=4.0.3-rc1, <4.0.4>=4.1.0-rc1, <4.1.1

Unrestricted Upload of File with Dangerous Type

>=3.6.5-rc1, <3.6.6>=4.0.3-rc1, <4.0.4>=4.1.0-rc1, <4.1.1

Information Exposure

>=4.0.0-rc1, <4.0.4>=4.1.0rc1, <4.1.1

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

>=4.0.3-rc1, <4.0.4>=4.1.0-rc1, <4.1.1

URL Redirection to Untrusted Site ('Open Redirect')

>=4.0.0-rc1, <4.0.4>=4.1.0-rc1, <4.1.1

Privilege Escalation

>=3.5.7-rc1, <3.5.8>=3.6.0-rc1, <3.6.6>=4.0.0-rc1, <4.0.4>=4.1.0-rc1, <4.1.1

Information Exposure

>=4.0.0-rc1, <4.0.1

Missing Encryption of Sensitive Data

>=3.5.0-rc1, <3.5.6>=3.6.0-rc1, <3.6.3>=4.0.0-rc1, <4.0.1

SQL Injection

>=3.5.0-rc1, <3.5.6>=3.6.0-rc1, <3.6.3>=4.0.0-rc1, <4.0.1

Session Fixation

>=3.5.0-rc1, <3.5.6>=3.6.0-rc1, <3.6.3

Cross-site Scripting (XSS)

>=3.4.0-rc1, <3.4.6>=3.5.0-rc1, <3.5.4

Cross-site Scripting (XSS)

>=3.4.0-rc1, <3.4.6>=3.5.0-rc1, <3.5.4

Information Exposure

>=3.4.0-rc1, <3.4.6>=3.5.0-rc1, <3.5.4

Cross-site Scripting (XSS)