Silverstripe XSS in TreeDropdownField and TreeMultiSelectField

2024-05-2314:57:18

Google

osv.dev

silverstripe

xss

treedropdownfield

treemultiselectfield

vulnerability

data source

encoded content

6.4 Medium

AI Score

Confidence

High

JSON

A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField.

This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields.

This has been resolved by ensuring that all dataobjects used as a data source have their content safely encoded.

CPENameOperatorVersion
silverstripe/frameworkeq3.1.10-rc1
silverstripe/frameworkeq3.1.2-rc1
silverstripe/frameworkeq3.1.3
silverstripe/frameworkeq3.1.3-rc1
silverstripe/frameworkeq3.1.2
silverstripe/frameworkeq3.1.5
silverstripe/frameworkeq3.1.4-rc1
silverstripe/frameworkeq3.1.6
silverstripe/frameworkeq3.1.3-rc2
silverstripe/frameworkeq3.1.8

Name	Operator	Version
silverstripe/framework	eq	3.1.10-rc1
silverstripe/framework	eq	3.1.2-rc1
silverstripe/framework	eq	3.1.3
silverstripe/framework	eq	3.1.3-rc1
silverstripe/framework	eq	3.1.2
silverstripe/framework	eq	3.1.5
silverstripe/framework	eq	3.1.4-rc1
silverstripe/framework	eq	3.1.6
silverstripe/framework	eq	3.1.3-rc2
silverstripe/framework	eq	3.1.8

Rows per page:

1-10 of 221

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-004-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/89c14d079d3a130d6c4029af596262528ce53925

www.silverstripe.org/software/download/security-releases/ss-2015-004

6.4 Medium

AI Score

Confidence

High

JSON