CVE-2022-38148 Silverstripe silverstripe/framework through 4.11 allows SQL Injection.

This could allow attackers to execute arbitrary SQL commands against the database or obtain sensitive information by injecting valid data into forms. This issue has been fixed and the current version is 4.11.15. In addition to being exposed via a remote database, it could also be leveraged to gain remote code execution on a site if the site is running WordPress. This issue has been reported to occur due to incorrect escaping of user-supplied input. The issue has been fixed by altering the database schema to ignore unsafe data. You can upgrade to the latest version at https://silverstripe.com/support .

SQL Injection - CVE-2001 -4651

An unspecified vulnerability has been discovered in the SilverStripe CMS. This vulnerability could allow attackers to execute arbitrary SQL commands against the database or obtain sensitive information by injecting valid data into forms. The issue has been fixed and the current version is 4.11.15. In addition to being exposed via a remote database, it could also be leveraged to gain remote code execution on a site if the site is running WordPress. This issue has been reported to occur due to incorrect escaping of user-supplied input. The issue has been fixed by altering the database schema to ignore unsafe data. You can upgrade to the latest version at https://silverstripe.com/support .

SQL Injection

SQL injection is one of the most common types of vulnerabilities in web applications and is a serious threat to your business. It occurs when an application fails to properly escape user-supplied input before inserting it into a SQL query. Most often, this happens because the application does not have adequate input validation.
With SQL injection, attackers are able to execute arbitrary commands against the database or obtain sensitive information that should not be exposed to unauthorized users by injecting valid data into forms. This issue can occur due to incorrect escaping of user-supplied input or improper filtering of user-supplied input.

Silverstripe 4.11.15 Database Injection

Silverstripe 4.11.15 is a security release that fixes a critical vulnerability in the Silverstripe framework which could allow attackers to execute arbitrary SQL commands against the database, or obtain sensitive information by injecting valid data into forms.

Summing Up - Only update to the latest version

To fix this issue, update to the latest version of Silverstripe.

Timeline

Published on: 11/21/2022 16:15:00 UTC
Last modified on: 11/22/2022 00:49:00 UTC

References

• https://www.silverstripe.org/download/security-releases/
• https://www.silverstripe.org/download/security-releases/CVE-2022-38148
• https://www.silverstripe.org/blog/tag/release
• https://forum.silverstripe.org/c/releases
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38148