A high level security issue has been noted in the SilverStripe CMS.
Issue CVE
SS-2015-008
Severity
Important
Affected version
CMS Module 3.1.0 - 3.1.10, 3.1.11-rc1, 3.0.11 and below
Affected users
Any website which exposes the SiteTree (or subclasses thereof) via the RestfulServer module, or provides CMS access to users with limited content-creation permissions.
Details
By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.
This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.
This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.
Cause
Insufficient permission validation in the SiteTree::canCreate method.
Planned Release
A fix for this issue is included in the 3.0.12 and 3.1.11 releases which have been released Thursday 19th of March 2015.
All users should upgrade as possible.