Merge pull request #592 from creative-commoners/pulls/master/silverstripe-490-release-cves

xabbuh · web-flow · commit a461c10e85e7 · 2021-10-19T11:48:55.000+02:00
Add CVE-2021-36150 and CVE-2021-28661 which were disclosed with the Silverstripe 4.9.0 release
diff --git a/silverstripe/admin/CVE-2021-36150.yaml b/silverstripe/admin/CVE-2021-36150.yaml
@@ -0,0 +1,8 @@
+title:     "CVE-2021-36150 - Insert from files link text - Reflective (self) Cross Site Scripting"
+link:      https://www.silverstripe.org/download/security-releases/CVE-2021-36150
+cve:       CVE-2021-36150
+branches:
+    1.0.x:
+        time:     2021-10-05 05:18:20
+        versions: ['>=1.0.0', '<1.8.1']
+reference: composer://silverstripe/admin
diff --git a/silverstripe/graphql/CVE-2021-28661.yaml b/silverstripe/graphql/CVE-2021-28661.yaml
@@ -0,0 +1,8 @@
+title:     "CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass"
+link:      https://www.silverstripe.org/download/security-releases/CVE-2021-28661
+cve:       CVE-2021-28661
+branches:
+    3.0.x:
+        time:     2021-06-07 22:31:00
+        versions: ['>=3.0.0', '<3.5.2']
+reference: composer://silverstripe/graphql
