Name of the Vulnerable Software and Affected Versions: SilverStripe forms (affected versions not specified)

Description: The issue concerns form fields in SilverStripe forms that return isReadonly() as true, making them vulnerable to reflected XSS injections. This includes fields like ReadonlyField, LookupField, HTMLReadonlyField, and special purpose fields such as TimeField Readonly. Values submitted through these fields are not filtered out from the form session data and may be displayed to the user, for example, when form validation errors occur. SilverStripe forms automatically load values from request data, which can be exploited using malicious URLs if the form uses these fields and does not overwrite data on construction. However, readonly and disabled form fields are already filtered out in Form->saveInto(), preventing maliciously submitted data from entering the database unless form values are accessed directly in the saving logic.

Recommendations: For SilverStripe forms using readonly fields like ReadonlyField, LookupField, HTMLReadonlyField, or TimeField Readonly, consider overwriting data on form construction to prevent reflected XSS injections. As a temporary workaround, consider restricting access to the form fields that return isReadonly() as true until a proper fix is implemented. Avoid accessing form values directly in your saving logic to prevent malicious data from entering the database. At the moment, there is no information about a newer version that contains a fix for this vulnerability.