Security Releases

When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.

• CVE-2019-5715: Reflected SQL Injection through Form and DataObject

  Severity:

  Critical (?)

  Identifier:

  CVE-2019-5715 (SS-2018-021)

  Versions Affected:

  silverstripe/framework:^3.6.7, silverstripe/framework:^3.7.3, silverstripe/framework:^4.0.7, silverstripe/framework:^4.1.5, silverstripe/framework:^4.2.4, silverstripe/framework:^4.3.1

  Versions Fixed:

  silverstripe/framework:3.6.7, silverstripe/framework:3.7.3, silverstripe/framework:4.0.7, silverstripe/framework:4.1.5, silverstripe/framework:4.2.4, silverstripe/framework:4.3.1

  Release Date:

  2019-02-19

  A vulnerability has been identified where specifically crafted user input is executed as SQL SELECT statements in the process of writing this input to a database record. It requires a specific SilverStripe implementation to accept user input for this purpose (e.g. through a contact form which stores messages). It further requires that this record is exposed to the user again (e.g. emailing a copy of the contact form submission). In these situations, data stored in other database tables can be viewed (e.g. draft content). This only affects properties on the database record which are intended to be written through this user input (e.g. a contact form message, but not it’s database identifier).

  There are no known exploits for this vulnerability which allow changing database state outside of the intended use (writing input to a specific database record). User input accepted by the CMS is not affected, since those endpoints require authentication. In certain situations, this vulnerability allows exposing of user credentials. These credentials are secured by strong one way cryptography (bcrypt hashed with individual salts), which makes it impractical to gain access by offline attacks against the user’s password.

  Both direct assignment on DataObject (update(), setters via method calls, setters via magic methods) and indirect assignment (e.g. Form->saveInto()) are affected.

  The vulnerability is related to the DBField classes underpinning the DataObject logic. Most DBField types in SilverStripe 3 are affected. Only the DBYear field type is confirmed to be affected in SilverStripe 4, limiting the impact in our current release line to a relatively uncommon use case.

  Projects and modules which have implemented their own custom DBField classes may need to adjust them to override the DBField::scalarValueOnly() and DBField::prepValueForDB() methods if they want to accept non-scalar values. A common example of this are CompositeField implementations. Usually, there is no need to adjust custom code apart from upgrading to the latest releases. Subclasses of the DBCompositeField in 4.x are safe by default.

  Our thanks to James Turner (plastyk studios) who responsibly disclosed the issue to us.

  CVSS Score: 8.2

• SS-2018-024: GraphQL does not validate X-CSRF-TOKEN

  Severity:

  Medium (?)

  Identifier:

  SS-2018-024

  Versions Affected:

  silverstripe/graphql:^4.0

  Versions Fixed:

  silverstripe/graphql:4.0.6, silverstripe/graphql:4.1.4, silverstripe/graphql:4.2.3, silverstripe/graphql:4.3.0

  Release Date:

  2018-12-12

  While the admin modules were sending the appropriate X-CSRF-TOKEN header in all requests, the GraphQL server was not validating them, thereby leaving itself open to CSRF exploitation, particularly on destructive operations.

• SS-2018-020: Potential SQL vulnerability in PostgreSQL database connector

  Severity:

  Low (?)

  Identifier:

  SS-2018-020

  Versions Affected:

  silverstripe/framework:^4.0, silverstripe/graphql:<4.3.0

  Versions Fixed:

  silverstripe/framework:4.0.6, silverstripe/framework:4.1.4, silverstripe/framework:4.2.3, silverstripe/framework:4.3.0

  Release Date:

  2018-12-12

  A potential SQL injection vulnerability was identified by using the silverstripe/postgresql database adapter. While unlikely to be exploitable, we have patched silverstripe/framework to ensure that table names are safely escaped before being passed to database adapters or user code.

• SS-2018-019: Possible denial of service attack vector when flushing

  Severity:

  Medium (?)

  Identifier:

  SS-2018-019

  Versions Affected:

  silverstripe/framework:^4.0

  Versions Fixed:

  silverstripe/framework:4.0.5, silverstripe/framework:4.1.3, silverstripe/framework:4.2.2, silverstripe/framework:4.3.0

  Release Date:

  2018-11-07

  A possible denial of service attack vector has been identified in the dev/build system controller.

  dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments.

  Reported by Michael Strong (SilverStripe Ltd)

• SS-2018-018: Database credentials disclosure during connection failure

  Severity:

  Medium (?)

  Identifier:

  SS-2018-018

  Versions Affected:

  silverstripe/framework:^3.7, silverstripe/framework:^4.0

  Versions Fixed:

  silverstripe/framework:3.7.1, silverstripe/framework:4.0.5, silverstripe/framework:4.1.3, silverstripe/framework:4.2.2, silverstripe/framework:4.3.0

  Release Date:

  2018-11-07

  When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details.

  We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.

  Reported by Dylan Wagstaff (SilverStripe Ltd) and Lukas Erni.

• SS-2018-007: GraphQL lacks CSRF

  Severity:

  Medium (?)

  Identifier:

  SS-2018-007

  Versions Affected:

  >= 4

  Versions Fixed:

  4.0.5, 4.1.3, 4.2.2, 4.3.0-rc1

  Release Date:

  2018-11-07

  The GraphQL server used by the CMS is exposed to a CSRF vulnerability that allows attackers to force admins to delete all the files on their SilverStripe installation due to the fact that the deletion request is sent without proper validation of the origin of the request or a CSRF token that prevents such acts.

  Reported by Mustafa Hasan

• SS-2018-007: CSRF vulnerability in graphql

  Severity:

  High (?)

  Identifier:

  SS-2018-007

  Versions Affected:

  silverstripe/graphql:^2.0

  Versions Fixed:

  silverstripe/graphql:2.0.3, silverstripe/graphql:3.0.0

  Release Date:

  2018-11-07

  The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

  Reported by Mustafa Hasan

• SS-2018-017: Possible PHP Object Injection via Multi-Value Field Extension

  Severity:

  Medium (?)

  Identifier:

  SS-2018-017

  Versions Affected:

  symbiote/silverstripe-multivaluefield:^3.0

  Versions Fixed:

  symbiote/silverstripe-multivaluefield:3.1.0

  Release Date:

  2018-07-26

  A potential deserialisation vulnerability has been identified in the symbiote/silverstripe-multivaluefield which could allow an attacker to exploit implementations of this module via object injection.

  Support for handling PHP objects as values in this module has been deprecated, and the serialisation technique has been switched to using JSON for handling arrays.

  As well as this, a potential XSS (cross-site scripting) vulnerability has been identified and remediated.

  Reported by Insomnia Security.

• SS-2018-016: Unsafe SQL Query Construction (Safe Data Source)

  Severity:

  Low (?)

  Identifier:

  SS-2018-016

  Versions Affected:

  silverstripe/subsites:^2.0

  Versions Fixed:

  silverstripe/subsites:2.1.1

  Release Date:

  2018-07-26

  There is a low level potential SQL injection vulnerability in the silverstripe/subsites module has been identified and fixed in version 2.1.1.

  Reported by Insomnia Security.

• SS-2018-002: SSRF vulnerability

  Severity:

  Low (?)

  Identifier:

  SS-2018-002

  Versions Affected:

  silverstripe/asset-admin: >=1.0.0

  Versions Fixed:

  silverstripe/asset-admin: 1.2.0

  Release Date:

  2018-07-25

  A Server Side Request Forgery (SSRF) vulnerability in the "Insert Media" feature (oembed) of the CMS allows a malicious user to make requests to the local network to expose potentially sensitive information about open ports. To our knowledge, the vulnerability can not be used to retrieve data available via those ports.

  Reported by Ahmad Ashraff of Aura Information Security

• SS-2018-014: Dangerous file types in allowed upload

  Severity:

  Low (?)

  Identifier:

  SS-2018-014

  Versions Affected:

  silverstripe/framework:^3.6.5, silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0

  Versions Fixed:

  silverstripe/framework:3.6.6, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1

  Release Date:

  2018-06-28

  Some potentially dangerous file types exist in File.allowed_extensions which could allow a malicious CMS user to upload files that then get executed in the security context of the website. We have removed the ability to upload .css, .js, .potm, .dotm, .xltm and .jar files in the default configuration. Since allowed_extensions are synced to webserver configuration (in assets/.htaccess) automatically, this will also deny access to any existing uploads with these extensions.

  Review our security guidelines for the Common Web Platform and the File Security guide for SilverStripe 4 to find out how to add or remove extensions. 

  Reported by Insomnia Security.

• SS-2018-013: Passwords sent back to browsers under some circumstances

  Severity:

  Low (?)

  Identifier:

  SS-2018-013

  Versions Affected:

  silverstripe/framework:^3.5, silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0

  Versions Fixed:

  silverstripe/framework:3.7.0, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1

  Release Date:

  2018-06-28

  Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.

  Reported by Logan Woods at Aura Information Security.

• SS-2018-015: Vulnerable dependency

  Severity:

  Low (?)

  Identifier:

  SS-2018-015

  Versions Affected:

  silverstripe/comments:^1.3, silverstripe/comments:^2.0

  Versions Fixed:

  silverstripe/comments:3.1.1

  Release Date:

  2018-05-28

  The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.

  CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.

  Reported by Insomnia Security.

• SS-2018-012: Uploaded PHP script execution in assets

  Severity:

  Low (?)

  Identifier:

  SS-2018-012

  Versions Affected:

  silverstripe/framework:^4.0

  Versions Fixed:

  silverstripe/framework:4.0.4, silverstripe/framework:4.1.1

  Release Date:

  2018-05-28

  A weakness in the .htaccess rules preventing requests to uploaded PHP scripts allows PHP scripts that had made their way into the assets directory to be successfully executed through the use of a specially crafted URL. There are protections in place to disallow upload of PHP scripts through the CMS, meaning this weakness does not lead to direct vulnerabilities.

  In addition, sites hosted on the New Zealand Common Web Platform or SilverStripe Platform have additional configuration in place which prevents PHP script execution in assets, even in a malicious party manages to upload these into the folder.

  Reported by Insomnia Security.

• SS-2018-011: SQL injection vulnerability

  Severity:

  Medium (?)

  Identifier:

  SS-2018-011

  Versions Affected:

  silverstripe/taxonomy: 1.3.0, 2.0.0

  Versions Fixed:

  silverstripe/taxonomy: 1.3.1, 2.0.1

  Release Date:

  2018-05-28

  There is a vulnerability in silverstripe/taxonomy module that allows SQL injection. This affected controller (TaxonomyDirectoryController) is disabled by default and must be enabled by a developer for the exploit to be possible.

  Reported by Insomnia Security.

• Prev
• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• Next