Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
CVE-2023-49783 - No permission checks for editing or deleting records with CSV import form
- Severity:
- Medium (?)
- Identifier:
- CVE-2023-49783
- Versions Affected:
- silverstripe/admin: ^1, ^2
- Versions Fixed:
- silverstripe/admin: 1.13.19, 2.1.8
- Release Date:
- 2024-01-23
Users who don't have edit or delete permissions for records exposed in a
ModelAdmin
can still edit or delete records using the CSV import form, provided they have create permissions.The likelyhood of a user having create permissions but not having edit or delete permissions is low, but it is possible.
Note that this doesn't affect any
ModelAdmin
which has had the import form disabled via theshowImportForm
public property, nor does it impact theSecurityAdmin
section.Action may be required
If you have a custom implementation of
BulkLoader
, you should update your implementation to respect permissions when the return value ofgetCheckPermissions()
is true.If you are using any
BulkLoader
in your own project logic, or maintain a module which uses it, you should consider passingtrue
tosetCheckPermissions()
if the data is provided by users.Base CVSS: 4.3
Reported by: Guy Sartorelli from Silverstripe -
CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
- Severity:
- Medium (?)
- Identifier:
- CVE-2023-48714
- Versions Affected:
- silverstripe/framework: ^3, ^4, ^5
- Versions Fixed:
- silverstripe/framework: 4.11.39, 5.1.11
- Release Date:
- 2024-01-23
If a user should not be able to see a record, but that record can be added to a
GridField
using theGridFieldAddExistingAutocompleter
component, the record's title can be accessed by that user.Base CVSS: 4.3
Reported by: Nick K - LittleMonkey, littlemonkey.co.nz -
CVE-2023-44401 - View permissions are bypassed for paginated lists of ORM data in GraphQL queries
- Severity:
- Medium (?)
- Identifier:
- CVE-2023-44401
- Versions Affected:
- silverstripe/graphql: ^4, ^5
- Versions Fixed:
- silverstripe/graphql: 4.3.7, 5.1.3
- Release Date:
- 2024-01-23
canView
permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page.Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se.
This has been fixed by ensuring no new records are pulled in from the database after performing
canView
permission checks for each page of results. This may result in some pages in your query results having less than the maximum number of records per page even when there are more pages of results.This behaviour is consistent with how pagination works in other areas of Silverstripe CMS, such as in
GridField
, and is a result of having to perform permission checks in PHP rather than in the database directly.You can choose to disable these permission checks by disabling the
CanViewPermission
plugin following the instructions in overriding default plugins.Note that this vulnerability does not affect silverstripe/graphql version 3.x.
Base CVSS: 5.3
Reported by: Eduard Briem from Hothouse Creative, Nelson -
CVE-2023-40180 - DDOS Vulnerability on GraphQL due to lack of protection against recursive queries
- Severity:
- High (?)
- Identifier:
- CVE-2023-40180
- Versions Affected:
- silverstripe/graphql: ^3.0.0, ^4.0.0, ^5.0.0
- Versions Fixed:
- 3.8.2, 4.1.3, 4.2.5, 4.3.4, 5.0.3
- Release Date:
- 2023-10-16
An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas.
If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk.
The fix includes some new configuration options which you might want to tweak for your project, based on your own requirements. See the documentation in the references for details.
Base CVSS: 7.5
Reported by: Jason Nguyen from phew
References
-
SS-2023-002 Cross-site scripting (XSS) vulnerabilities inherited form TinyMCE
- Severity:
- Medium (?)
- Identifier:
- SS-2023-002
- Versions Affected:
- silverstripe/admin: ^1.0.0
- Versions Fixed:
- silverstripe/admin: ^1.13.6
- Release Date:
- 2023-07-31
TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting
silverstripe/admin
.Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in
silverstripe/admin
.Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.
These vulnerabilities were described by TinyMCE:
A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.
A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower.Base CVSS: 5.4
Reported by: Guy Sartorelli from SilverstripeReferences
-
CVE-2023-32302 Members with no password can be created and bypass custom login forms
- Severity:
- None (?)
- Identifier:
- CVE-2023-32302
- Versions Affected:
- silverstripe/framework: ^3, ^4, ^5
- Versions Fixed:
- silverstripe/framework: 4.13.14, 5.0.13
- Release Date:
- 2023-07-31
When a new Member record was created in the cms it was possible to set a blank password. If an attacker knows the email address of the user with the blank password then they can attempt to log in using an empty password. The default member authenticator, login form and basic auth all require a non-empty password, however if a custom authentication method is used it may allow a successful login with the empty password.
After being patched, blank passwords are no no longer allowed when members are created in the CMS. Programatically created Member records, such as those used in unit tests, still allow blank passwords.
You may have some Member records in your system already which have empty passwords. To detect these, you can loop over all Member records with
Member::get()
and pass each record into the below method. It might be sensible to create aBuildTask
for this purpose.use SilverStripe\Security\Member;
use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
private function memberHasBlankPassword(Member $member): bool
{
// skip default admin as this is created programatically
if ($member->isDefaultAdmin()) {
return false;
}
// return true if a blank password is valid for this member
$authenticator = new MemberAuthenticator();
return $authenticator->checkPassword($member, '')->isValid();
}Once you have identified the records with empty passwords, it's up to you how to handle this. The most sensible way to resolve this is probably to generate a new secure password for each of these members, mark it as immediately expired, and email each affected member (assuming they have a valid email address in the system).
Base CVSS: 0.0
Reported by: Sabina Talipova from Silverstripe and Christian BünteAddendum - November 2, 2023
CVE-2023-32302 has been invalidated. Following discussions with the National Institute of Standards and Technology (NIST), it was determined that entries in the National Vulnerability Database can not have a CVSS of 0.
While CVE-2023-32302 is no longer a valid vulnerability identifier, the rest of the information on this page remains relevant.
-
SS-2023-001 - XSS vulnerability in underlying TinyMCE library
- Severity:
- Medium (?)
- Identifier:
- SS-2023-001
- Versions Affected:
- silverstripe/admin: ^1.0.0
- Versions Fixed:
- silverstripe/admin: 1.12.7, 1.13.0
- Release Date:
- 2023-04-26
An old version of TinyMCE includes an XSS vulnerability, which was patched in a later version. The vulnerability is described by TinyMCE:
A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.
Base CVSS: 5.4
Reported by: Developers at ACC
References
- GHSA-vrv8-v4w8-f95h
- https://www.mend.io/vulnerability-database/WS-2020-0142
- https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes
-
CVE-2023-22729 - Open redirect vulnerability on CMSSecurity relogin screen
- Severity:
- Medium (?)
- Identifier:
- CVE-2023-22729
- Versions Affected:
- silverstripe/framework: ^4.0.0
- Versions Fixed:
- silverstripe/framework: 4.12.5, 4.13.0
- Release Date:
- 2023-04-26
An attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link.
Base CVSS: 4.3
Reported by: Matthew Dekker
-
CVE-2023-22728 - Missing permission check in GridFieldPrintButton
- Severity:
- Medium (?)
- Identifier:
- CVE-2023-22728
- Versions Affected:
- silverstripe/framework: ^4.0.0
- Versions Fixed:
- silverstripe/framework: 4.12.5, 4.13.0
- Release Date:
- 2023-04-26
The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access.
Base CVSS: 4.3
Reported by: Stephan Bauer from relaxt Webdienstleistungsagentur GmbH
-
CVE-2023-28104 - DDOS attack on graphql endpoints
- Severity:
- High (?)
- Identifier:
- CVE-2023-28104
- Versions Affected:
- 4.2.2, 4.1.1
- Versions Fixed:
- 4.2.3, 4.1.2
- Release Date:
- 2023-03-16
An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas.
If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this will likely further mitigate the risk.
Base CVSS: 7.5
Reported by: Guy Sartorelli from Silverstripe
-
CVE-2022-42949 - Subsite weakens file permissions
- Severity:
- Medium (?)
- Identifier:
- CVE-2022-42949
- Versions Affected:
- silverstripe/subsites: ^2
- Versions Fixed:
- silverstripe/subsites: ^2.6.1, ^2.7.0
- Release Date:
- 2022-12-19
The subsites module can weaken edit restrictions on some files and allow a malicious user to edit files they do not have edit rights to.
This only affects projects with the subsites module installed. Regression testing should focus on custom file logic.
Be advised that this is not a case of a user being able to edit a file in subsites they do not have access to. As a reminder, all separation of content achieved with the subsites module should be viewed as cosmetic and not appropriate for security-critical applications.
Base CVSS: 5.4
Reported by: Bauke Zwaan from Hamaka
-
CVE-2022-38724 XSS in shortcodes
- Severity:
- Medium (?)
- Identifier:
- CVE-2022-38724
- Versions Affected:
- silverstripe/framework: ^4.0.0, silverstripe/assets: ^1.0.0
- Versions Fixed:
- silverstripe/framework: ^4.11.13, silverstripe/assets: ^1.11.1
- Release Date:
- 2022-11-21
A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.
Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour. If your project includes custom shortcode providers, consider reviewing them and implementing a similar whitelist when rendering the shortcodes to HTML.
Regression testing should focus on HTML Editor functionally relying on shortcodes:
- image insertion
- links to CMS resources
- media insertion
- custom shortcodes for your project.
Base CVSS: 4.6
Reported by: Steve Boyd from Silverstripe Ltd
-
CVE-2022-38462 Reflected XSS in querystring parameters
- Severity:
- Medium (?)
- Identifier:
- CVE-2022-38462
- Versions Affected:
- silverstripe/framework: ^3.0.0, ^4.0.0
- Versions Fixed:
- silverstripe/framework: 4.11.13
- Release Date:
- 2022-11-21
An attacker could inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a
/dev/build
or/Security/login
request.To exploit this vulnerability, an attacker would need to convince a user to follow a link with a malicious payload.
This will only affect projects configured to output PHP warnings to the browser. By default, Silverstripe CMS will only output PHP warnings if your
SS_ENVIRONMENT_TYPE
environment variable is set to dev. Production sites should always setSS_ENVIRONMENT_TYPE
tolive
.Read the Environment management documentation for more details on configuring environment variables.
Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.
Regression testing should focus on areas where the
location
header is used to redirect users.Base CVSS: 4.2
Reported by: TF1T via huntr.dev
-
CVE-2022-38148 Blind SQL Injection via GridFieldSortableHeader
- Severity:
- High (?)
- Identifier:
- CVE-2022-38148
- Versions Affected:
- silverstripe/framework: ^3.0.0, ^4.0.0
- Versions Fixed:
- silverstripe/framework: 4.10.11, 4.11.14
- Release Date:
- 2022-11-21
Gridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability.
An attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state.
Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.
Regression testing should focus on custom filtering and sorting logic for Gridfields.
Base CVSS: 7.1
Reported by: TF1T via huntr.dev
-
CVE-2022-38147 XSS via uploaded gpx file
- Severity:
- Medium (?)
- Identifier:
- CVE-2022-38147
- Versions Affected:
- silverstripe/assets: ^1.0.0
- Versions Fixed:
- silverstripe/assets: 1.11.1
- Release Date:
- 2022-11-21
A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data.
By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.
Most projects should be able to apply the patch without further work. While there can be a legitimate use case for using GPX files, it's an uncommon one. You can re-enable support for GPX files if you have a need for them, but beware there's an inherent risk in allowing content authors to upload this kind of file.
Regression testing should focus on identifying if your site makes use of any GPX files. You can validate if you have any pre-existing GPX file on your Silverstripe CMS site by accessing the Files area and searching for "GPX". You'll want to delete any GPX file prior to applying the patch.
Base CVSS: 4.6
Reported by: nhienit via huntr.dev