silverstripe/framework vulnerable to Cross-site Scripting In `OptionsetField` and `CheckboxSetField`

2024-05-2719:09:53

Google

osv.dev

silverstripe framework

cross-site scripting

optionsetfield

checkboxsetfield

vulnerability

html escaping

6.1 Medium

AI Score

Confidence

High

JSON

List of key / value pairs assigned to OptionsetField or CheckboxSetField do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.

CPENameOperatorVersion
silverstripe/frameworkeq3.2.4
silverstripe/frameworkeq3.4.1-rc2
silverstripe/frameworkeq3.3.3-rc1
silverstripe/frameworkeq3.1.19-rc1
silverstripe/frameworkeq3.2.4-rc1
silverstripe/frameworkeq3.4.0
silverstripe/frameworkeq3.1.19
silverstripe/frameworkeq3.4.1-rc1
silverstripe/frameworkeq3.1.20-rc1
silverstripe/frameworkeq3.2.5-rc2

Name	Operator	Version
silverstripe/framework	eq	3.2.4
silverstripe/framework	eq	3.4.1-rc2
silverstripe/framework	eq	3.3.3-rc1
silverstripe/framework	eq	3.1.19-rc1
silverstripe/framework	eq	3.2.4-rc1
silverstripe/framework	eq	3.4.0
silverstripe/framework	eq	3.1.19
silverstripe/framework	eq	3.4.1-rc1
silverstripe/framework	eq	3.1.20-rc1
silverstripe/framework	eq	3.2.5-rc2

Rows per page:

1-10 of 161

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-015-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/049cdefacfd3122d59d5488c1317f999fe8aacc4

github.com/silverstripe/silverstripe-framework/commit/12a6b357e761f09d818fd0013eb2d85014de79a0

github.com/silverstripe/silverstripe-framework/commit/62a242154ec3508fe9b174a40713c8520ac1684c

github.com/silverstripe/silverstripe-framework/commit/b0ba2015d9684ee7b124dafcf6b59b046e20f8ed

www.silverstripe.org/download/security-releases/ss-2016-015

6.1 Medium

AI Score

Confidence

High

JSON