CVE-2010-1593

Name of the Vulnerable Software and Affected Versions SilverStripe versions prior to 2.3.5 SilverStripe Forum module versions prior to 0.2.5 in SilverStripe versions prior to 2.3.5

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the CommenterURL parameter to PostCommentForm, and in the Forum module via the Search parameter to "forums/search" (also known as the search script).

Recommendations For SilverStripe versions prior to 2.3.5, update to version 2.3.5 or later. For SilverStripe Forum module versions prior to 0.2.5 in SilverStripe versions prior to 2.3.5, update the Forum module to version 0.2.5 or later in SilverStripe version 2.3.5 or later. As a temporary workaround, consider restricting access to the PostCommentForm and the search script in the Forum module until a patch is available. Avoid using the CommenterURL parameter and the Search parameter in the affected API endpoints until the issue is resolved.