Silverstripe XSS in CMS Edit Page

2024-05-2319:33:34

Google

osv.dev

silverstripe

xss

cms

edit page

parameter sanitisation

arbitrary html

attack

url

6.8 Medium

AI Score

Confidence

High

JSON

Due to a lack of parameter sanitisation a carefully crafted URL could be used to inject arbitrary HTML into the CMS Edit page.

An attacker could create a URL and share it with a site administrator to perform an attack.

CPENameOperatorVersion
silverstripe/frameworkeq3.1.19-rc1
silverstripe/frameworkeq3.2.4-rc1
silverstripe/frameworkeq3.3.1
silverstripe/frameworkeq3.3.2-rc1
silverstripe/frameworkeq3.2.3
silverstripe/frameworkeq3.1.18

Name	Operator	Version
silverstripe/framework	eq	3.1.19-rc1
silverstripe/framework	eq	3.2.4-rc1
silverstripe/framework	eq	3.3.1
silverstripe/framework	eq	3.3.2-rc1
silverstripe/framework	eq	3.2.3
silverstripe/framework	eq	3.1.18

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-004-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/a24c8260b1d048dc6a0836eb1be9a1ca2056e770

github.com/silverstripe/silverstripe-framework/commits/3.3.2

www.silverstripe.org/download/security-releases/ss-2016-004

6.8 Medium

AI Score

Confidence

High

JSON