silverstripe/framework has Cross-site Scripting vulnerability in CMSSecurity BackURL · GHSA-r85g-7jpv-8xrx · GitHub Advisory Database · GitHub

silverstripe/framework has Cross-site Scripting vulnerability in CMSSecurity BackURL

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

Package

silverstripe/framework (Composer)

Affected versions

>= 3.1.0-rc1, < 3.1.21

>= 3.2.0-rc1, < 3.2.6

>= 3.3.0-rc1, < 3.3.4

>= 3.4.0-rc1, < 3.4.2

Patched versions

3.1.21

3.2.6

3.3.4

3.4.2

Description

In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL.

References

Published to the GitHub Advisory Database May 27, 2024

Reviewed May 27, 2024

Last updated May 27, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N