GHSA-frm9-7pm9-5rgc

Source

https://github.com/advisories/GHSA-frm9-7pm9-5rgc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-frm9-7pm9-5rgc/GHSA-frm9-7pm9-5rgc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-frm9-7pm9-5rgc

Published

2024-05-27T18:24:02Z

Modified

2024-12-02T05:38:36.831196Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

SilverStripe comments module includes version of jQuery vulnerable to Cross-site Scripting

Details

The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.

CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T18:24:02Z"
}

References

Affected packages

Packagist / silverstripe/comments

Package

Name: silverstripe/comments
Purl: pkg:composer/silverstripe/comments

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

3.1.1

Affected versions

2.*

2.0.0-beta1

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

3.*

3.0.0-beta1

3.0.0-beta2

3.0.0

3.1.0