Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zOGg2LWdtcjItajR3eM4AAyg7

Silverstripe Form Capture vulnerable to stored cross-site-scripting

Impact

Improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack

Patches

The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1.

Permalink: https://github.com/advisories/GHSA-38h6-gmr2-j4wx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zOGg2LWdtcjItajR3eM4AAyg7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: about 2 months ago


CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-38h6-gmr2-j4wx, CVE-2023-28851
References:

Affected Packages

packagist:andrewhaine/silverstripe-form-capture
Versions: >= 1.0.0, <= 1.0.1, >= 2.0.0, <= 2.2.4, >= 0.2.0, <= 0.2.3
Fixed in: 1.1.0, 2.2.5, 1.0.2
packagist:bigfork/silverstripe-form-capture
Versions: >= 3.0.0, <= 3.1.0
Fixed in: 3.1.1