CVE-2024-32981 — Cross-site Scripting in Silverstripe-framework

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

1.1%

top 22.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe Silverstripe-framework Silverstripe Framework

Timeline

PublishedJul 17

Description

Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack i…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDsilverstripe/framework< 5.2.16

▶Packagistsilverstripe/framework< 5.2.16

▶CVEListV5silverstripe/silverstripe-framework< 5.2.16

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Silverstripe Framework has a Cross-site Scripting vulnerability with encoded payload↗2024-07-17

▶

OSV

Silverstripe Framework has a Cross-site Scripting vulnerability with encoded payload↗2024-07-17

▶