Silverstripe framework is vulnerable to XSS in install.php

2024-05-2317:27:19

Google

osv.dev

silverstripe

xss

vulnerability

install.php

setup form

parameters

admin_username

admin_password

stable

3.1.14

production server

file removal

6.9 Medium

AI Score

Confidence

Low

JSON

During installation, certain parameters (admin_username and admin_password) are not escaped in the setup form.

This issue is resolved in 3.1.14 stable, although existing users are advised to remove this file prior to deploying to a production server.

CPENameOperatorVersion
silverstripe/frameworkeq3.1.10-rc1
silverstripe/frameworkeq3.1.2-rc1
silverstripe/frameworkeq3.1.3
silverstripe/frameworkeq3.1.3-rc1
silverstripe/frameworkeq3.1.2
silverstripe/frameworkeq3.1.5
silverstripe/frameworkeq3.1.4-rc1
silverstripe/frameworkeq3.1.14-rc1
silverstripe/frameworkeq3.1.6
silverstripe/frameworkeq3.1.3-rc2

Name	Operator	Version
silverstripe/framework	eq	3.1.10-rc1
silverstripe/framework	eq	3.1.2-rc1
silverstripe/framework	eq	3.1.3
silverstripe/framework	eq	3.1.3-rc1
silverstripe/framework	eq	3.1.2
silverstripe/framework	eq	3.1.5
silverstripe/framework	eq	3.1.4-rc1
silverstripe/framework	eq	3.1.14-rc1
silverstripe/framework	eq	3.1.6
silverstripe/framework	eq	3.1.3-rc2

Rows per page:

1-10 of 291

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-016-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/4c73721bab0d543eee6137e3c00aa8ec727e95d1

www.silverstripe.org/software/download/security-releases/ss-2015-016

6.9 Medium

AI Score

Confidence

Low

JSON