Veracode Vulnerability DatabaseVERACODE:38206Cross-Site Scripting (XSS)
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
33.2%
silverstripe/admin is vulnerable to Cross-Site Scripting (XSS). The vulnerability exists in vendor.js due to an outdated jquery which allows an attacker to inject and execute arbitrary javascript using a specially crafted proto query string parameter.
| CPE | Name | Operator | Version |
|---|---|---|---|
| silverstripe/admin | le | 2.x-dev | |
| silverstripe/admin | le | 1.11.2 | |
| silverstripe/admin | le | 1.13.12 | |
| silverstripe/admin | le | 1.11.2 |
References
forum.silverstripe.org/c/releases
github.com/advisories/GHSA-44xv-v98g-v79f
github.com/silverstripe/silverstripe-admin/commit/e27f35538e3978d357a96ad3cf7052a005642247
github.com/silverstripe/silverstripe-admin/pull/1392
www.silverstripe.org/blog/tag/release
www.silverstripe.org/download/security-releases/
www.silverstripe.org/download/security-releases/CVE-2022-38146
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
33.2%