CVE-2019-19325

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-19325

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19325.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-19325

Aliases

GHSA-qvrv-2x7x-78x2

Published

2020-02-17T20:15:11Z

Modified

2024-09-03T02:31:58.050146Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.

References

https://www.silverstripe.org/download/security-releases/cve-2019-19325

Affected packages

Git / github.com/silverstripe/silverstripe-cms

Affected ranges

Type: GIT
Repo: https://github.com/silverstripe/silverstripe-cms
Events: Introduced

00c9262eb7b6200735f6efab0624b704b0a6b2bb

Fixed

7b50a5c0b662598e89a10befa3fe61ce107b6eaf

Type: GIT
Repo: https://github.com/silverstripe/silverstripe-framework
Events: Introduced

6334bd87b5ccdda22abbb498cc77bfd4cf1224b7

Fixed

a9598eec3f1a0884a2687962de074fe3718d9d96

Affected versions

4.*

4.2.5

4.3.4

4.3.5

4.4.0

4.4.0-rc1

4.4.1

4.4.2

4.4.3

4.4.4