In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
https://www.silverstripe.org/download/security-releases/CVE-2019-12617
https://www.silverstripe.org/download/security-releases/