Name of the Vulnerable Software and Affected Versions: Silverstripe versions prior to a fixed version (affected versions not specified)

Description: The issue affects Internet Explorer browsers, where requests do not encode all entities in the URL string. As a result, when rewriting hashlinks, SSViewer::process() directly outputs $ SERVER['REQUEST URI'], inserting unencoded entities into output content. This allows JavaScript code to be inserted into the page as-is, potentially leading to security issues. For example, a request like "GET /site/cars/brands/toyota?one=1"onmouseover="alert('things');"" can insert JavaScript code into the page.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.