GHSA-mpqj-f4v3-334h – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=3.3.2 <3.3.3 || >=3.4.0 <3.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Silverstripe Cross-site scripting vulnerability in VersionedRequestFilter A cross-site scripting vulnerability in VersionedRequestFilter has been found. If an incoming user request should not be able to access the requested stage, an error message is created for display on the CMS login page that they are redirected to. In this error message, the URL of the requested page is interpolated into the error message without being escaped; hence, arbitrary HTML can be injected into the CMS login page.

Metadata

Created: 2024-05-23T19:46:36Z
Modified: 2024-05-23T19:46:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-mpqj-f4v3-334h/GHSA-mpqj-f4v3-334h.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F425
Auto approve: 1