GHSA-qvrv-2x7x-78x2

Source

https://github.com/advisories/GHSA-qvrv-2x7x-78x2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qvrv-2x7x-78x2/GHSA-qvrv-2x7x-78x2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qvrv-2x7x-78x2

Aliases

CVE-2019-19325

Published

2020-02-24T17:33:31Z

Modified

2024-02-16T08:12:56.084423Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Reflected XSS in SilverStripe

Details

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.

Database specific

{
    "nvd_published_at": "2020-02-17T20:15:11Z",
    "cwe_ids": [
        "CWE-78",
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-18T20:11:37Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.0

Fixed

4.5.2

Affected versions

4.*

4.5.0

4.5.1

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.5

Affected versions

4.*

4.0.0

4.0.1-rc1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.1.0-rc1

4.1.0-rc2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.2.0-beta1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0-rc1

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4