CVE-2012-4968

Name of the Vulnerable Software and Affected Versions SilverStripe versions 2.3.x through 2.3.12 SilverStripe versions 2.4.x through 2.4.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via crafted strings to various methods in a template. The affected methods include AbsoluteLinks, BigSummary, ContextSummary, EscapeXML, FirstParagraph, FirstSentence, Initial, LimitCharacters, LimitSentences, LimitWordCount, LimitWordCountXML, Lower, LowerCase, NoHTML, Summary, Upper, UpperCase, or URL.

Recommendations For SilverStripe versions 2.3.x through 2.3.12, update to version 2.3.13 or later. For SilverStripe versions 2.4.x through 2.4.6, update to version 2.4.7 or later. As a temporary workaround, consider restricting the use of the vulnerable methods in templates until a patch is available.