Security Releases

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.

CVE-2022-28803 - Stored XSS in link tags added via XHR

Severity:

Medium (?)

Identifier:
CVE-2022-28803

Versions Affected:
silverstripe/framework: <=4.10.8

Versions Fixed:
silverstripe/framework: 4.10.9

Release Date:
2022-06-28

XSS inside the href attribute of an HTML hyperlink can be added to website content via XHR by an authenticated CMS user.

Base CVSS: 5.4
Reported by: ranjit-git via huntr.dev
CVE-2022-25238 - Stored XSS via HTML fields

Severity:

Medium (?)

Identifier:
CVE-2022-25238

Versions Affected:
silverstripe/framework: <=4.10.8

Versions Fixed:
silverstripe/framework: 4.10.9

Release Date:
2022-06-28

XSS inside of script tags can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
Base CVSS: 5.4
Reported by: Greg Best from Aura Information Security
CVE-2022-24444 - Hybridsessions does not expire session id on logout

Severity:

Medium (?)

Identifier:
CVE-2022-24444

Versions Affected:
silverstripe/hybridsessions: <=2.4.0, 2.5.0

Versions Fixed:
silverstripe/hybridsessions: 2.4.1, 2.5.1

Release Date:
2022-06-28

When using the hybridsessions module is used without the session-manager module installed and sessions IDs are saved to disk, unexpired SessionIDs of logged out users can still be used to make authenticated requests.
Base CVSS: 4.8
Reported by: Kartik Patel
CVE-2021-41559 - Quadratic blowup in Convert::xml2array()

Severity:

Medium (?)

Identifier:
CVE-2021-41559

Versions Affected:
silverstripe/framework: <=4.10.8

Versions Fixed:
silverstripe/framework: 4.10.9

Release Date:
2022-06-28

The Convert::xml2array() function is vulnerable to quadratic blowup where a malicious xml doctype with internal entities can cause CPU usage to go to 100% and stay there.
Base CVSS: 4.8
Reported by: Matthew Dekker from ZX Security
CVE-2022-29254 Failed payment recorded has completed

Severity:

Low (?)

Identifier:
CVE-2022-29254

Versions Affected:
silverstripe/silverstripe-omnipay: <=2.5.1, <=3.0.1, <=3.1.3, <=3.2.0

Versions Fixed:
silverstripe/silverstripe-omnipay: 2.5.2, 3.0.2, 3.1.4, 3.2.1

Release Date:
2022-06-06

For a subset of Omnipay gateways (those that use intermediary states like isNotification() or isRedirect()), if the payment identifier or success URL is exposed it is possible for payments to be prematurely marked as completed without payment being taken. This is mitigated by the fact that most payment gateways hide this information from users, however some issuing banks offer flawed 3DSecure implementations that may inadvertently expose this data.
CVE-2021-36150 - Insert from files link text - Reflective (self) Cross Site Scripting

Severity:

Medium (?)

Identifier:
CVE-2021-36150

Versions Affected:
silverstripe/admin: ^1.0

Versions Fixed:
silverstripe/admin: ^1.8.1, silverstripe/admin: ^1.9.0

Release Date:
2021-10-05

A reflective cross-site-script vulnerability exists where if an unwitting CMS user is tricked into pasting HTML containing script tags into a particular CMS form field, arbitrary javascript can be run inside the users browser.
Base CVSS: 4.0
CWP CVSS: 4.0
Reporters: Anonymous disclosure
CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass

Severity:

Low (?)

Identifier:
CVE-2021-28661

Versions Affected:
silverstripe/graphql: ^3.0.0

Versions Fixed:
silverstripe/graphql: ^3.5.2, silverstripe/graphql: ^3.6.0

Release Date:
2021-10-05

CMS users without limited permissions to view data may be able access privileged information via the /admin/graphql endpoint because of a missing canView() on data. This affects data classes that utilise or inherit from the Read or ReadOne GraphQL 3 classes that don't explicitly assign a service class to the permissionChecker property of their implementation. On a default installation this will expose limited (ID, FirstName, Surname) information from the Member table which a CMS user typically will not have access to.
Graphql 4 is not affected by this.
If you have a legitimate use for an ItemQuery/ListQuery scaffolder class without a permission checker, you can use the following example.
```
# Put this in `app/_config/mysite.yml` on another config file
SilverStripe\Core\Injector\Injector:
  My\App\QueryPermissionChecker.nocheck:
    class: My\App\NoCheckPermissionChecker
  My\App\CustomItemQueryScaffolder:
    properties:
      permissionChecker: '%$My\App\QueryPermissionChecker.nocheck'
  My\App\CustomListQueryScaffolder:
    properties:
      permissionChecker: '%$My\App\QueryPermissionChecker.nocheck'
```
```
<?php

namespace My\App;

use SilverStripe\GraphQL\Permission\QueryPermissionChecker;
use SilverStripe\ORM\Filterable;
use SilverStripe\Security\Member;

class NoCheckPermissionChecker implements QueryPermissionChecker
{
    public function applyToList(Filterable $list, Member $member = null)
    {
        return $list;
    }

    public function checkItem($item, Member $member = null)
    {
        return true;
    }
}
```
Base CVSS: 3.0
CWP CVSS: 3.0
Reporters:
- ZX Security Ltd
- Luke Edwards from DNA Design (lukereative on GitHub)
CVE-2021-25817 XXE Vulnerability in CSSContentParser

Severity:

Low (?)

Identifier:
CVE-2021-25817

Versions Affected:
silverstripe/framework: ^4.0.0

Versions Fixed:
silverstripe/framework: ^4.7.4, ^4.8.0

Release Date:
2021-06-08

A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing.
Base CVSS: 3.3
CWP CVSS: 3.3
Thanks to Wang Zhen and Christopher Darling for reporting.
CVE-2020-26138 FormField with square brackets in field name skips validation

Severity:

Low (?)

Identifier:
CVE-2020-26138

Versions Affected:
silverstripe/framework: ^3.0.0, ^4.0.0

Versions Fixed:
silverstripe/framework: ^4.7.4, ^4.8.0

Release Date:
2021-06-08

FileField with array notation skips validation
The FileField class is commonly used for file upload in custom code on a Silverstripe website. This field is designed to be used with a single file upload.
PHP allows for submitting multiple values by adding square brackets to the field name. When this is done to a FileField, it will be coerced into allowing multiple files by using this notation. This is not a supported feature, though nothing is done to prevent this.
In this scenario, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. If custom controller logic is used to process the file uploads, it might implicitly rely on validation to be provided by the Form system, which is not the case.
Note this issue is for the FileField, not the UploadField which is used within the CMS.
Example:
```
public function MyForm()
{
  $fields = FieldList::create(
    FileField::create('MySafeField')->setAllowedExtensions(['pdf']),
    FileField::create('MyUnsafeField[]')->setAllowedExtensions(['pdf'])
  );
  $actions = FieldList::create(
    FormAction::create('submit')
  );
  $validator = RequiredFields::create('MySafeField', 'MyUnsafeField');
  return Form::create($this, 'Form', $fields, $actions, $validator);
}

public function submit($data, $form)
{
  $data['MyUnsafeField'] // not validated
  $_FILES['MyUnsafeField'] // not validated
}
```
Base CVSS: 3.4
CWP CVSS: 3.4
Reporters: Dylan Wagstaff from Silverstripe Ltd
CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

Severity:

Medium (?)

Identifier:
CVE-2020-26136

Versions Affected:
silverstripe/graphql: ^3.0.0, ^4.0.0-alpha1

Versions Fixed:
silverstripe/graphql: ^3.5.0, ^4.0.0-alpha2

Release Date:
2021-06-08

The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.
Basic-auth has been removed as a default authentication method. It desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler, i.e.
```
  authenticators:
    -
      class: SilverStripe\GraphQL\Auth\BasicAuthAuthenticator
      priority: 20
```
Base CVSS: 4.2
CWP CVSS: 4.2
Reporters: Maxime Rainville from Silverstripe Ltd
CVE-2021-27938 XSS in CreateQueuedJobTask

Severity:

High (?)

Identifier:
CVE-2021-27938

Versions Affected:
symbiote/silverstripe-queuedjobs: ^3.0.0, ^4.0.0

Versions Fixed:
symbiote/silverstripe-queuedjobs: 3.0.2, 3.1.4, 4.0.7, 4.1.2, 4.2.4, 4.3.3, 4.4.3, 4.5.1, 4.6.4

Release Date:
2021-03-15

A high severity security vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module, which is a popular optional module used to manage dev tasks in the CMS UI for the Silverstripe CMS. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.

The corresponding releases contains a fix. We recommend reviewing the impact it may have on your site(s) and upgrading as soon as possible.
Base CVSS: 7.1
CWP CVSS: 7.1
Reporters: Michael Tsai from ZX Security
CVE-2020-9311 Malicious user profile information can cause login form XSS

Severity:

Medium (?)

Identifier:
CVE-2020-9311

Versions Affected:
silverstripe/framework: ^3.0

Versions Fixed:
silverstripe/framework: 3.7.5

Release Date:
2020-07-13

Malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
Base CVSS: 4.6
CWP CVSS: 4.6
Reporter: Devi Prasad, Application Security, Ceva Logistics
CVE-2020-9309 Script execution on protected files with MIME spoofing content

Severity:

Medium (?)

Identifier:
CVE-2020-9309

Versions Affected:
silverstripe/recipe-core: ^4.0.0

Versions Fixed:
silverstripe/recipe-core: 4.6.0 or silverstripe/mimetype-validator: 2.0.0

Release Date:
2020-07-13

Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Uploads stored as protected or draft files are allowed by default for authorised users only, but can also be enabled through custom logic as well as modules such as silverstripe/userforms.
Sites using the previously optional silverstripe/mimevalidator module can configure MIME whitelists rather than extension whitelists, and hence prevent this issue. Sites on the Common Web Platform (CWP) use this module by default, and are not affected.
Sites upgrading to silverstripe/recipe-core 4.6.0 will automatically be protected, as silverstripe/mimevalidator is now a core dependency. Sites using an older version of silverstripe/recipe-core need to manually install and configure silverstripe/mimevalidator.
Read the changelog for your targeted release for more information on the best course of action:
Base CVSS: 4.6
CWP CVSS: 0.0 (CWP customers are unaffected by this vulnerability.)
Reporter: Maxime Rainville, Senior Open-Source Developer, Silverstripe Ltd
Addendum: silverstripe/userforms 5.6.0 added an explicit requirement on silverstripe/mimevalidator for the file upload field as a further security enhancement. However, this fix was not properly merged up in the development branches, so silverstripe/userforms 5.6.1. 5.6.2 and 5.7.0 erroneously removed the new mimevalidator package. silverstripe/userforms 5.6.3 and 5.7.1 have been tagged to reintroduce the mimevalidator package and remedy this issue.
CVE-2020-6165 Limited queries break CanViewPermissionChecker

Severity:

Medium (?)

Identifier:
CVE-2020-6165

Versions Affected:
silverstripe/graphql: ^3.2, silverstripe/recipe-cms: ^4.5.0

Versions Fixed:
silverstripe/graphql: 3.2.4, silverstripe/graphql: 3.3.0

Release Date:
2020-07-13

The automatic permission checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set.
GraphQL endpoints are configured by default through the CMS (e.g. for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to users with access to the CMS, but still applies when those authenticated users have limited permissions (e.g. where viewing records exposed through admin/graphql require administrator permissions).
Where custom GraphQL endpoints have been be configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests.
This vulnerability only applies for reading records it does not allow unauthorised changing of records.
If your project implements custom GraphQL queries returning a query-limited result set, you might have to validate that those queries still work as expected and adjust them if they don't.

Review the 4.5.3 changelogs or the 4.6.0 changelogs for additional details on how to upgrade your project.
Base CVSS Score: 5.3
CWP CVSS Score: 5.3
Reporter: Matthias Leutenegger, CEO, Syntro GmbH and Rob Ingram
CVE-2020-6164 Information disclosure on /interactive URL path

Severity:

Low (?)

Identifier:
CVE-2020-6164

Versions Affected:
silverstripe/framework: ^3.0, silverstripe/framework: ^4.0

Versions Fixed:
silverstripe/framework: 4.4.7, silverstripe/framework: 4.5.4, silverstripe/framework: 4.6.0

Release Date:
2020-07-13

A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
Base CVSS: 0.0
CWP CVSS: 0.0
Reporter: Elliot Sawyer, Senior Silverstripe Developer, Catalyst

Security Releases

CVE-2022-28803 - Stored XSS in link tags added via XHR

CVE-2022-25238 - Stored XSS via HTML fields

CVE-2022-24444 - Hybridsessions does not expire session id on logout

CVE-2021-41559 - Quadratic blowup in Convert::xml2array()

CVE-2022-29254 Failed payment recorded has completed

CVE-2021-36150 - Insert from files link text - Reflective (self) Cross Site Scripting

CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass

CVE-2021-25817 XXE Vulnerability in CSSContentParser

CVE-2020-26138 FormField with square brackets in field name skips validation

CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

CVE-2021-27938 XSS in CreateQueuedJobTask

CVE-2020-9311 Malicious user profile information can cause login form XSS

CVE-2020-9309 Script execution on protected files with MIME spoofing content

CVE-2020-6165 Limited queries break CanViewPermissionChecker

CVE-2020-6164 Information disclosure on /interactive URL path