GHSA-jx34-gqqq-r6gm

Source

https://github.com/advisories/GHSA-jx34-gqqq-r6gm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-jx34-gqqq-r6gm/GHSA-jx34-gqqq-r6gm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jx34-gqqq-r6gm

Aliases

CVE-2022-25238

Published

2022-06-29T22:14:03Z

Modified

2024-02-21T05:32:08.922329Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Stored XSS via HTML fields in SilverStripe Framework

Details

SilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitiseserverside contig is not set to true in project code.

Database specific

{
    "nvd_published_at": "2022-06-28T22:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T22:14:03Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.10.9

Affected versions

4.*

4.0.0

4.0.1-rc1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.1.0-rc1

4.1.0-rc2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.2.0-beta1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0-rc1

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.5.0-alpha1

4.5.0-rc1

4.5.0-rc2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.6.0-beta1

4.6.0-rc1

4.6.0

4.6.1

4.6.2

4.7.0-beta1

4.7.0-rc1

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.8.0-beta1

4.8.0-rc1

4.8.0

4.8.1

4.9.0-alpha1

4.9.0-beta1

4.9.0-rc1

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0-beta1

4.10.0-rc1

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8