GHSA-5f5v-5c3v-gw5v – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=0 <3.0.13 || >=3.1.0 <3.1.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Silverstripe IE requests not properly behaving with rewritehashlinks Non IE browsers don’t appear to be affected, but I haven’t tested a wide range of browsers to be sure Requests that come through from IE do NOT appear to encode all entities in the URL string, meaning they are inserted into output content directly by SSViewer::process() when rewriting hashlinks, as it directly outputs $_SERVER[‘REQUEST_URI’] **Example IE8 request** 127.0.0.1 - - [18/Jun/2014:14:13:42 +1000] “GET /site/cars/brands/toyota?one=1\”onmouseover=\”alert(‘things’);\” HTTP/1.1” 200 **Example FF request** 127.0.0.1 - - [18/Jun/2014:14:14:22 +1000] “GET /site/cars/brands/toyota?one=1\%22onmouseover=\%22alert(%27things%27);\%22 HTTP/1.1” 200 This causes any hash anchor to have the JS code inserted into the page as-is.

Metadata

Created: 2024-05-23T14:45:11Z
Modified: 2024-05-23T14:45:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-5f5v-5c3v-gw5v/GHSA-5f5v-5c3v-gw5v.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1