CVE-2019-19325

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-19325
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19325.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-19325
Aliases
Published
2020-02-17T20:15:11.007Z
Modified
2025-11-20T10:50:24.810054Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.

References

Affected packages

Git

github.com/silverstripe/silverstripe-cms

Affected ranges

Type
GIT
Repo
https://github.com/silverstripe/silverstripe-cms
Events
Introduced
00c9262eb7b6200735f6efab0624b704b0a6b2bb
Fixed
7b50a5c0b662598e89a10befa3fe61ce107b6eaf

Affected versions

4.*

4.2.5
4.3.4
4.3.5
4.4.0
4.4.0-rc1
4.4.1
4.4.2
4.4.3
4.4.4

github.com/silverstripe/silverstripe-framework

Affected ranges

Type
GIT
Repo
https://github.com/silverstripe/silverstripe-framework
Events
Introduced
6334bd87b5ccdda22abbb498cc77bfd4cf1224b7
Fixed
a9598eec3f1a0884a2687962de074fe3718d9d96