PT-2020-10136 · Silverstripe · Silverstripe

Ed Chipman

Published

2020-02-17

Updated

2020-02-24

CVE-2019-19325

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions SilverStripe versions 4.4.x through 4.4.4 SilverStripe versions 4.5.x through 4.5.1

Description The issue allows Reflected XSS on the login form and custom forms. Silverstripe Forms permit malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, enabling XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.

Recommendations For SilverStripe versions 4.4.x through 4.4.4, update to version 4.4.5 or later. For SilverStripe versions 4.5.x through 4.5.1, update to version 4.5.2 or later.

Exploit

Fix

XSS

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-78

Related Identifiers

CVE-2019-19325

GHSA-QVRV-2X7X-78X2

Affected Products

Silverstripe

PT-2020-10136 · Silverstripe · Silverstripe

CVE-2019-19325

Weakness Enumeration

Related Identifiers

Affected Products

References · 6