Matthew Dekker

**Name of the Vulnerable Software and Affected Versions** Silverstripe Framework versions prior to 4.12.15 **Description** An attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. **Recommendations** For versions prior to 4.12.15, upgrade to Silverstripe Framework 4.12.15 or above to address the issue. As a temporary workaround, consider restricting access to the login screen until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Silverstripe silverstripe/framework versions 4.8.1 through 4.10.9 **Description** The issue is related to a quadratic blowup in the `Convert::xml2array()` function, which can be exploited via a crafted XML document to enable a remote attack. **Recommendations** For versions 4.8.1 through 4.10.9, consider disabling the `Convert::xml2array()` function until a patch is available to prevent potential exploitation. Restrict access to crafted XML documents to minimize the risk of a remote attack.