Lucene search

K
githubGitHub Advisory DatabaseGHSA-R32J-MR8P-HFP8
HistoryMay 23, 2024 - 2:57 p.m.

Silverstripe XSS in TreeDropdownField and TreeMultiSelectField

2024-05-2314:57:18
CWE-79
GitHub Advisory Database
github.com
2
cross-site scripting
treedropdownfield
treemultiselectfield
cms access
dataobjects
vulnerability
html
encoding

6.4 Medium

AI Score

Confidence

High

A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField.

This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields.

This has been resolved by ensuring that all dataobjects used as a data source have their content safely encoded.

Affected configurations

Vulners
Node
silverstripeframeworkRange3.1.9
CPENameOperatorVersion
silverstripe/frameworkle3.1.9

6.4 Medium

AI Score

Confidence

High