Chillu

**Name of the Vulnerable Software and Affected Versions** SilverStripe versions prior to 2.3.13 SilverStripe versions 2.4.x prior to 2.4.6 **Description** A cross-site scripting (XSS) issue exists due to insufficient input validation in the `process` function within `SSViewer.php`. This allows remote attackers to inject arbitrary web script or HTML via the `QUERY STRING` to template placeholders. Examples of vulnerable endpoints include "/admin/reports/", "/admin/comments/", "/admin/", "/admin/show/", "/admin/assets/", and "/admin/security/". **Recommendations** For SilverStripe versions prior to 2.3.13, update to version 2.3.13 or later. For SilverStripe versions 2.4.x prior to 2.4.6, update to version 2.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** SilverStripe versions 2.3.x through 2.3.11 SilverStripe versions 2.4.x through 2.4.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands via unspecified vectors when connected to a MySQL database using far east character encodings. This is due to a SQL injection vulnerability in the addslashes method. **Recommendations** For SilverStripe versions 2.3.x through 2.3.11, update to version 2.3.12 or later. For SilverStripe versions 2.4.x through 2.4.5, update to version 2.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** SilverStripe version 2.4.6 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users with Content Authors privileges to inject arbitrary web script or HTML via the `Title` parameter in the admin/EditForm section. **Recommendations** For SilverStripe version 2.4.6, consider restricting access to the admin/EditForm section to prevent exploitation until a fix is available. As a temporary workaround, avoid using the `Title` parameter in the affected section until the issue is resolved.