CVE-2011-4958
5.9 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
79.5%
Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1) admin/reports/, (2) admin/comments/, (3) admin/, (4) admin/show/, (5) admin/assets/, and (6) admin/security/.
Affected configurations
References
doc.silverstripe.org/sapphire/en/trunk/changelogs/2.3.12
doc.silverstripe.org/sapphire/en/trunk/changelogs/2.4.6
osvdb.org/76258
secunia.com/advisories/46390
www.rul3z.de/advisories/SSCHADV2011-024.txt
www.securityfocus.com/archive/1/520050/100/0/threaded
github.com/silverstripe/sapphire/commit/16c3235
github.com/silverstripe/sapphire/commit/52a895f
github.com/silverstripe/sapphire/commit/bdd6391
Related
5.9 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
79.5%