Security Releases

When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.

• SS-2023-001 - XSS vulnerability in underlying TinyMCE library

  Severity:

  Medium (?)

  Identifier:

  SS-2023-001

  Versions Affected:

  silverstripe/admin: ^1.0.0

  Versions Fixed:

  silverstripe/admin: 1.12.7, 1.13.0

  Release Date:

  2023-04-26

  An old version of TinyMCE includes an XSS vulnerability, which was patched in a later version. The vulnerability is described by TinyMCE:

  A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower.

  We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.

  Base CVSS: 5.4

  Reported by: Developers at ACC

  References

  • GHSA-vrv8-v4w8-f95h
  • https://www.mend.io/vulnerability-database/WS-2020-0142
  • https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes

   

• CVE-2023-22729 - Open redirect vulnerability on CMSSecurity relogin screen

  Severity:

  Medium (?)

  Identifier:

  CVE-2023-22729

  Versions Affected:

  silverstripe/framework: ^4.0.0

  Versions Fixed:

  silverstripe/framework: 4.12.5, 4.13.0

  Release Date:

  2023-04-26

  An attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link.

  Base CVSS: 4.3

  Reported by: Matthew Dekker

• CVE-2023-22728 - Missing permission check in GridFieldPrintButton

  Severity:

  Medium (?)

  Identifier:

  CVE-2023-22728

  Versions Affected:

  silverstripe/framework: ^4.0.0

  Versions Fixed:

  silverstripe/framework: 4.12.5, 4.13.0

  Release Date:

  2023-04-26

  The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access.

  Base CVSS: 4.3

  Reported by: Stephan Bauer from relaxt Webdienstleistungsagentur GmbH

• CVE-2023-28104 - DDOS attack on graphql endpoints

  Severity:

  High (?)

  Identifier:

  CVE-2023-28104

  Versions Affected:

  4.2.2, 4.1.1

  Versions Fixed:

  4.2.3, 4.1.2

  Release Date:

  2023-03-16

  An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas.

  If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this will likely further mitigate the risk.

  Base CVSS: 7.5

  Reported by: Guy Sartorelli from Silverstripe

• CVE-2022-42949 - Subsite weakens file permissions

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-42949

  Versions Affected:

  silverstripe/subsites: ^2

  Versions Fixed:

  silverstripe/subsites: ^2.6.1, ^2.7.0

  Release Date:

  2022-12-19

  The subsites module can weaken edit restrictions on some files and allow a malicious user to edit files they do not have edit rights to.

  This only affects projects with the subsites module installed. Regression testing should focus on custom file logic.

  Be advised that this is not a case of a user being able to edit a file in subsites they do not have access to. As a reminder, all separation of content achieved with the subsites module should be viewed as cosmetic and not appropriate for security-critical applications.

  Base CVSS: 5.4

  Reported by: Bauke Zwaan from Hamaka

• CVE-2022-38724 XSS in shortcodes

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-38724

  Versions Affected:

  silverstripe/framework: ^4.0.0, silverstripe/assets: ^1.0.0

  Versions Fixed:

  silverstripe/framework: ^4.11.13, silverstripe/assets: ^1.11.1

  Release Date:

  2022-11-21

  A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour. If your project includes custom shortcode providers, consider reviewing them and implementing a similar whitelist when rendering the shortcodes to HTML.

  Regression testing should focus on HTML Editor functionally relying on shortcodes:

  • image insertion
  • links to CMS resources
  • media insertion
  • custom shortcodes for your project.

  Base CVSS: 4.6

  Reported by: Steve Boyd from Silverstripe Ltd

• CVE-2022-38462 Reflected XSS in querystring parameters

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-38462

  Versions Affected:

  silverstripe/framework: ^3.0.0, ^4.0.0

  Versions Fixed:

  silverstripe/framework: 4.11.13

  Release Date:

  2022-11-21

  An attacker could inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a /dev/build or /Security/login request.

  To exploit this vulnerability, an attacker would need to convince a user to follow a link with a malicious payload.

  This will only affect projects configured to output PHP warnings to the browser. By default, Silverstripe CMS will only output PHP warnings if your SS_ENVIRONMENT_TYPE environment variable is set to dev. Production sites should always set SS_ENVIRONMENT_TYPE to live.

  Read the Environment management documentation for more details on configuring environment variables.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on areas where the location header is used to redirect users.

  Base CVSS: 4.2

  Reported by: TF1T via huntr.dev

• CVE-2022-38148 Blind SQL Injection via GridFieldSortableHeader

  Severity:

  High (?)

  Identifier:

  CVE-2022-38148

  Versions Affected:

  silverstripe/framework: ^3.0.0, ^4.0.0

  Versions Fixed:

  silverstripe/framework: 4.10.11, 4.11.14

  Release Date:

  2022-11-21

  Gridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability.

  An attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on custom filtering and sorting logic for Gridfields.

  Base CVSS: 7.1

  Reported by: TF1T via huntr.dev

• CVE-2022-38147 XSS via uploaded gpx file

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-38147

  Versions Affected:

  silverstripe/assets: ^1.0.0

  Versions Fixed:

  silverstripe/assets: 1.11.1

  Release Date:

  2022-11-21

  A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data.

  By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.

  Most projects should be able to apply the patch without further work. While there can be a legitimate use case for using GPX files, it's an uncommon one. You can re-enable support for GPX files if you have a need for them, but beware there's an inherent risk in allowing content authors to upload this kind of file.

  Regression testing should focus on identifying if your site makes use of any GPX files. You can validate if you have any pre-existing GPX file on your Silverstripe CMS site by accessing the Files area and searching for "GPX". You'll want to delete any GPX file prior to applying the patch.

  Base CVSS: 4.6

  Reported by: nhienit via huntr.dev

   

• CVE-2022-38146 URL XSS vulnerability due to outdated jquery in CMS

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-38146

  Versions Affected:

  silverstripe/admin: ^1.0.0

  Versions Fixed:

  silverstripe/admin: ^1.11.3

  Release Date:

  2022-11-21

  The Silverstripe CMS UI uses jQuery 1.7.2. This version of jQuery is affected by CVE-2019-11358 Object.prototype pollution. An attacker could perform an XSS attack by convincing a user to follow a link with a specially crafted __proto__ query string parameter.

  silverstripe/admin 1.11.3 addresses this problem by stopping all JavaScript execution if a __proto__ query string is present in the URL. This fix is just a stopped gap measure.

  This issue will be properly remediated by upgrading to jQuery 3.6.1 or later in the Silverstripe CMS 4.12.0 release.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on custom CMS UI functionality that might be implemented in your project.

  If you use the jQuery version distributed with Silverstripe CMS in the front end of your site, you may be affected by this vulnerability via the front end. If this applies to youp project, you should upgrade your theme to use a more recent jQuery version.

  Base CVSS: 5.4

  Reported by: Trong Pham via huntr.dev

• CVE-2022-38145 Stored XSS in Compare Mode

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-38145

  Versions Affected:

  silverstripe/versioned-admin: ^1.0.0

  Versions Fixed:

  silverstripe/versioned-admin: ^1.11.1

  Release Date:

  2022-11-21

  A malicious content author could add a Javascript payload to a page's meta description and get it executed in the versioned history compare view.

  This vulnerability requires access to the CMS to be deployed. The attacker must then convince a privileged user to access the version history for that page.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on version comparison with the page history tab.

  Base CVSS: 4.6

  Reported by: TF1T via huntr.dev

• CVE-2022-37430 Stored XSS using uppercase characters in HTMLEditor

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-37430

  Versions Affected:

  silverstripe/framework: ^3.0.0, ^4.0.0

  Versions Fixed:

  silverstripe/framework: 4.11.13

  Release Date:

  2022-11-21

  A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute.
  An attacker must have access to the CMS to exploit this issue.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on link creations within HTML editor fields.

  Base CVSS: 4.6

  Reported by: Steve Boyd from Silverstripe Ltd

• CVE-2022-37429 Stored XSS using HTMLEditor

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-37429

  Versions Affected:

  silverstripe/framework: ^4.0.0, ^3.0.0

  Versions Fixed:

  silverstripe/framework: 4.11.13

  Release Date:

  2022-11-21

  A malicious content author could add a JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters.

  An attacker must have access to the CMS to exploit this issue.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on link creations within HTML editor fields.

  Base CVSS: 4.6

  Reported by: TF1T via huntr.dev

• CVE-2022-37421 Stored XSS in custom meta tags

  Severity:

  Low (?)

  Identifier:

  CVE-2022-37421

  Versions Affected:

  silverstripe/cms: ^4.0.0, ^3.0.0

  Versions Fixed:

  silverstripe/cms: 4.11.3

  Release Date:

  2022-11-21

  A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut.
  This requires CMS access to exploit.

  Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

  Regression testing should focus on pages with pre-existing custom meta tags, if any are present.

  Base CVSS: 3.7

  Reported by: TF1T via huntr.dev

• CVE-2022-29858 - Unpublished, protected files can be published via shortcode

  Severity:

  Medium (?)

  Identifier:

  CVE-2022-29858

  Versions Affected:

  silverstripe/assets: <=1.10.0

  Versions Fixed:

  silverstripe/assets: 1.10.1

  Release Date:

  2022-06-28

  Draft protected images can be published by changing an existing image shortcode on website content to match the ID of the draft protected image and then publishing the website content.

  Base CVSS: 4.3

  Reported by: ranjit-git via huntr.dev

   

   

• Prev
• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• Next