Silverstripe 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk sql injection、パス処理の欠陥、vendor risk csrf, and vendor risk input validation があり、vendor surface production workloads の利用場面で vendor impact data exposure、ファイル上書き, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-30148 | Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed | [email protected] | 5.4 | 0.22% | 2025-04-10 | 2025-09-04 |
| CVE-2024-53277 | Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. This issue has been addressed in silverstrip | [email protected] | 5.4 | 0.30% | 2025-01-14 | 2025-09-04 |
| CVE-2024-32981 | Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack i | [email protected] | 5.4 | 0.33% | 2024-07-17 | 2025-09-04 |
| CVE-2024-29885 | silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 4.3 | 0.40% | 2024-07-17 | 2025-09-04 |
| CVE-2023-49783 | Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible. Note that this doesn | [email protected] | 4.3 | 0.34% | 2024-01-23 | 2024-11-21 |
| CVE-2023-48714 | Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. | [email protected] | 4.3 | 0.36% | 2024-01-23 | 2024-11-21 |
| CVE-2023-44401 | The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This has been fixed in versions 4.3.7 and 5.1.3 by ensuring no new | [email protected] | 5.3 | 0.42% | 2024-01-23 | 2024-11-21 |
| CVE-2023-40180 | silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as | [email protected] | 7.5 | 0.90% | 2023-10-16 | 2024-11-21 |
| CVE-2023-22729 | Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. | [email protected] | 5.4 | 0.42% | 2023-04-26 | 2024-11-21 |
| CVE-2023-22728 | Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. | [email protected] | 4.3 | 0.49% | 2023-04-26 | 2024-11-21 |
| CVE-2023-28104 | `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability. | [email protected] | 7.5 | 1.05% | 2023-03-16 | 2024-11-21 |
| CVE-2022-42949 | Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | [email protected] | 7.5 | 0.52% | 2022-12-21 | 2025-04-17 |
| CVE-2022-38147 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3). | [email protected] | 5.4 | 0.52% | 2022-11-23 | 2025-04-25 |
| CVE-2022-37421 | Silverstripe silverstripe/cms through 4.11.0 allows XSS. | [email protected] | 5.4 | 0.53% | 2022-11-23 | 2025-04-25 |
| CVE-2022-38145 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 3) via remote attackers adding a Javascript payload to a page's meta description and get it executed in the versioned history compare view. | [email protected] | 5.4 | 0.60% | 2022-11-23 | 2025-04-25 |
| CVE-2022-37430 | Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2). | [email protected] | 5.4 | 0.52% | 2022-11-23 | 2025-04-25 |
| CVE-2022-37429 | Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters. | [email protected] | 5.4 | 0.47% | 2022-11-23 | 2025-04-25 |
| CVE-2022-38724 | Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS. | [email protected] | 5.4 | 0.65% | 2022-11-23 | 2025-04-29 |
| CVE-2022-38462 | Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request. | [email protected] | 6.1 | 0.47% | 2022-11-22 | 2025-04-29 |
| CVE-2022-38148 | Silverstripe silverstripe/framework through 4.11 allows SQL Injection. | [email protected] | 8.8 | 0.72% | 2022-11-21 | 2025-04-30 |