SilverStripe comments module includes version of jQuery vulnerable to Cross-site Scripting

2024-05-2718:24:02

Google

osv.dev

silverstripe

comments module

jquery

cross-site scripting

cwp 2.0.0

silverstripe 4.2.0

6.3 Medium

AI Score

Confidence

High

JSON

The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.

CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.

CPENameOperatorVersion
silverstripe/commentseq3.0.0-beta2
silverstripe/commentseq2.0.1
silverstripe/commentseq3.0.0
silverstripe/commentseq2.1.0
silverstripe/commentseq2.0.0
silverstripe/commentseq2.1.4
silverstripe/commentseq2.0.3
silverstripe/commentseq3.0.0-beta1
silverstripe/commentseq2.0.0-beta1
silverstripe/commentseq2.1.6

Name	Operator	Version
silverstripe/comments	eq	3.0.0-beta2
silverstripe/comments	eq	2.0.1
silverstripe/comments	eq	3.0.0
silverstripe/comments	eq	2.1.0
silverstripe/comments	eq	2.0.0
silverstripe/comments	eq	2.1.4
silverstripe/comments	eq	2.0.3
silverstripe/comments	eq	3.0.0-beta1
silverstripe/comments	eq	2.0.0-beta1
silverstripe/comments	eq	2.1.6

Rows per page:

1-10 of 171

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/comments/SS-2018-015-1.yaml

github.com/silverstripe/silverstripe-comments

www.silverstripe.org/download/security-releases/ss-2018-015

6.3 Medium

AI Score

Confidence

High

JSON