Lucene search

GitHub Advisory DatabaseGHSA-FW84-XGM8-9JMV

HistoryApr 26, 2023 - 7:46 p.m.

Open redirect vulnerability on CMSSecurity relogin screen

2023-04-2619:46:30

CWE-601

GitHub Advisory Database

github.com

open redirect

cmssecurity

relogin screen

upgrade

silverstripe/framework 4.12.5

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.3%

JSON

An attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link.

Upgrade to silverstripe/framework 4.12.5 or above to remedy the vulnerability.

Reporter: Matthew Dekker

Affected configurations

Vulners

Node

silverstripeframeworkRange<4.12.5

VendorProductVersionCPE
silverstripeframework*cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
silverstripe	framework	*	cpe:2.3:a:silverstripe:framework::::::::

References

github.com/advisories/GHSA-fw84-xgm8-9jmv

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22729.yaml

github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77

github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv

nvd.nist.gov/vuln/detail/CVE-2023-22729

www.silverstripe.org/download/security-releases/cve-2023-22729

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.3%

JSON

Related for GHSA-FW84-XGM8-9JMV