SilverStripe has recently become aware of a security vulnerability affecting the majority of SilverStripe sites on 3.x and 4.x release lines.
In certain circumstances, this vulnerability could expose database content such as draft content or user details. We have found no evidence in our own hosting environments that this vulnerability has been exploited or that any data has been exposed. This vulnerability is relatively difficult to discover and was not identified in regular internal code reviews, external code reviews, or penetration tests.
Updated releases for all supported minor releases in SilverStripe 3.x and 4.x were made available earlier today (3.6.7, 3.7.3, 4.0.7, 4.1.5, 4.2.4, 4.3.1). If you are using SilverStripe, it is highly recommended that you plan for an upgrade as soon as possible to ensure your sites remain secure.
SilverStripe 3.x is supported until September 2020, and this vulnerability does not force you to upgrade to SilverStripe 4.x. Websites which are already on SilverStripe 4.x are less impacted by this vulnerability, due to general improvements to the security foundations on this newer codebase. While this might be a good opportunity to review the case for a SilverStripe 4.x upgrade, it’s more important to keep your site secure on the short term.
Read the full security release announcement for technical details.
To receive future pre-disclosure communications, please subscribe for our pre-disclosure mailing list.