I've read in the archive about a security issue with the assets folder (SilverStripe V. 2.2.3)
by uploading code-files as an asset into the CMS structure. (http://www.silverstripe.org/archive/show/247117#post247117)
This files can be executed by everybody, so its possible to query/drop the whole database.
Well, this bug hasn't been fixed for about 5 month and its still working fine with SilverStripe 2.3.1 .
I think this could be a big problem while thinking of social engineering issues.
A typical content editor has not the knowledge about what to upload or not.