GHSA-5f5v-5c3v-gw5v

Source

https://github.com/advisories/GHSA-5f5v-5c3v-gw5v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-5f5v-5c3v-gw5v/GHSA-5f5v-5c3v-gw5v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5f5v-5c3v-gw5v

Published

2024-05-23T14:45:11Z

Modified

2024-11-28T05:41:09.877783Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Silverstripe IE requests not properly behaving with rewritehashlinks

Details

Non IE browsers don’t appear to be affected, but I haven’t tested a wide range of browsers to be sure

Requests that come through from IE do NOT appear to encode all entities in the URL string, meaning they are inserted into output content directly by SSViewer::process() when rewriting hashlinks, as it directly outputs $SERVER[‘REQUESTURI’]

Example IE8 request 127.0.0.1 - - [18/Jun/2014:14:13:42 +1000] “GET /site/cars/brands/toyota?one=1\”onmouseover=\”alert(‘things’);\” HTTP/1.1” 200

Example FF request 127.0.0.1 - - [18/Jun/2014:14:14:22 +1000] “GET /site/cars/brands/toyota?one=1\%22onmouseover=\%22alert(%27things%27);\%22 HTTP/1.1” 200

This causes any hash anchor to have the JS code inserted into the page as-is.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T14:45:11Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.13

Affected versions

2.*

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

3.*

3.0.2.1

3.0.3-rc1

3.0.3-rc2

3.0.3

3.0.4

3.0.5

3.0.6-rc1

3.0.6-rc2

3.0.6

3.0.7-rc1

3.0.7

3.0.8

3.0.9-rc1

3.0.9

3.0.10-rc1

3.0.10

3.0.11-rc1

3.0.11

3.0.12

Database specific

{
    "last_known_affected_version_range": "<= 3.0.12"
}

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.12

Affected versions

3.*

3.1.0

3.1.1

3.1.2-rc1

3.1.2

3.1.3-rc1

3.1.3-rc2

3.1.3

3.1.4-rc1

3.1.4

3.1.5-rc1

3.1.5

3.1.6-rc1

3.1.6-rc2

3.1.6-rc3

3.1.6

3.1.7-rc1

3.1.7

3.1.8

3.1.9-rc1

3.1.9

3.1.10-rc1

3.1.10-rc2

3.1.10

3.1.11-rc1

3.1.11

Database specific

{
    "last_known_affected_version_range": "<= 3.1.11"
}