GitHub Advisory DatabaseGHSA-QVRV-2X7X-78X2Reflected XSS in SilverStripe
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
33.8%
SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| silverstripe | framework | * | cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-qvrv-2x7x-78x2
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-19325.yaml
github.com/silverstripe/silverstripe-framework/commit/49fda52b12ba59f0a04bcabf78425586a8779e89
nvd.nist.gov/vuln/detail/CVE-2019-19325
www.silverstripe.org/download/security-releases/cve-2019-19325
www.silverstripe.org/download/security-releases/cve-2019-19325/
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
33.8%