CVE-2019-19325 — Cross-site Scripting in Silverstripe

CWE-79 — Cross-site Scripting CWE-78 — OS Command Injection3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 41.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe Silverstripe Framework

Timeline

PublishedFeb 17

Latest updateFeb 24

Description

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Packagistsilverstripe/framework4.5.0 — 4.5.2+1

▶NVDsilverstripe/silverstripe4.4.0 — 4.4.5+1

🔴Vulnerability Details

GHSA

Reflected XSS in SilverStripe↗2020-02-24

▶

OSV

Reflected XSS in SilverStripe↗2020-02-24

▶