When potential security holes are discovered in SilverStripe CMS, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (see our security release process). In addition to being available on the Stable Download page and announced on the Release Announcements Google Group, the security releases will be summarized here.
19 February 2013
- SilverStripe v3.0.4 - [Severity: Important] Undefined or empty `$allowed_actions` overrides parent definitions, Information exposure through web access on YAML configuration files, Information exposure through web access on composer files, Require ADMIN permissions for `?showtemplate=1`, Stored XSS in the "New Group" dialog, XSS in CMS status messages (details)
- SilverStripe v2.4.10 - [Severity: Important] Undefined `$allowed_actions` overrides parent definitions (details)
5 December 2012
- SilverStripe v2.4.9 - [Severity: Moderate] More secure "remember me" and "forgot password" token hashing (details)
31 October 2012
- SilverStripe v2.4.8 - [Severity: Moderate] Redirection to remote URLs, content type checks, install.php remote code execution (details)
31 January 2012
- SilverStripe v2.4.7 - XSS in text transformations on templates and page title saving in CMS (details)
- SilverStripe v2.3.13 - See 2.4.7 (details)
18 October 2011
- SilverStripe v2.4.6 - XSS in anchor links, possible SQL injection with far eastern encodings, possible remote code execution through page comments (details)
- SilverStripe v2.3.12 - See 2.4.6 (details)
21 December 2010
- SilverStripe v2.4.4 - SQL information disclosure, SQL injection in Translatable extension, Cross Site Request Forgery in various CMS interfaces, XSS in controller action handling (details)
- SilverStripe v2.3.10 - SQL injection in Translatable extension, Cross Site Request Forgery in various CMS interfaces, XSS in controller action handling (details)
11 November 2010
- SilverStripe v2.4.3 - Cross Site Request Forgery in various CMS interfaces and page comments, increased file extension upload security through whitelisting (details)
- SilverStripe v2.3.9 - Cross Site Request Forgery in various CMS interfaces and page comments (details)
22 September 2010
- SilverStripe v2.4.2 - Viewing unpublished content, privilege escalation of CMS editors with access to admin/security (details)
23 July 2010
- SilverStripe v2.4.1 - File extension checks, installer security, information disclosure through PHP file execution, passwords not encrypted in certain UI actions (details)
- SilverStripe v2.3.8 - File extension checks, information disclosure through PHP file execution (details)
18 March 2010
- SilverStripe v2.3.7 - Privilege escalation exploit, unauthenticated remote removal of index.php under certain conditions
8 February 2010
- SilverStripe v2.3.6 - Escaping exploit
21 January 2010
- SilverStripe v2.3.5 - Escaping exploit
- Forum 0.2.5 - Addresses an escaping issue
8 July 2009
20 March 2009
- SilverStripe v2.3.1
- SilverStripe v2.2.4 - designed for maximum compatibility with v2.2.0 - v2.2.3
On to “The news!” - News via the ModelAdmin
Simon 'Sphere' Erkelens is a freelance developer, fulltime employee of We::Code in the Netherlands with a tertiary background in applied physics. Before that, Simon worked for Squal Media. He started using SilverStripe at the end of 2009. Simon has given multiple presentations on implementing...
Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com
Comments on this website? Please give feedback.