GHSA-mqf5-275h-gf6r

Source

https://github.com/advisories/GHSA-mqf5-275h-gf6r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-mqf5-275h-gf6r/GHSA-mqf5-275h-gf6r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mqf5-275h-gf6r

Published

2024-05-23T17:27:19Z

Modified

2024-11-28T05:33:28.929622Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Silverstripe framework is vulnerable to XSS in install.php

Details

During installation, certain parameters (adminusername and adminpassword) are not escaped in the setup form.

This issue is resolved in 3.1.14 stable, although existing users are advised to remove this file prior to deploying to a production server.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T17:27:19Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.14

Affected versions

3.*

3.1.0

3.1.1

3.1.2-rc1

3.1.2

3.1.3-rc1

3.1.3-rc2

3.1.3

3.1.4-rc1

3.1.4

3.1.5-rc1

3.1.5

3.1.6-rc1

3.1.6-rc2

3.1.6-rc3

3.1.6

3.1.7-rc1

3.1.7

3.1.8

3.1.9-rc1

3.1.9

3.1.10-rc1

3.1.10-rc2

3.1.10

3.1.11-rc1

3.1.11

3.1.12

3.1.13-rc1

3.1.13

3.1.14-rc1