Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mcm05LTdwbTktNXJnY84AA8ia

SilverStripe comments module includes version of jQuery vulnerable to Cross-site Scripting

The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.

CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.

Permalink: https://github.com/advisories/GHSA-frm9-7pm9-5rgc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcm05LTdwbTktNXJnY84AA8ia
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago


CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-frm9-7pm9-5rgc
References: Blast Radius: 6.9

Affected Packages

packagist:silverstripe/comments
Dependent packages: 14
Dependent repositories: 37
Downloads: 246,934 total
Affected Version Ranges: >= 1.3.0, < 3.1.1
Fixed in: 3.1.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 3.0.0, 3.1.0
All unaffected versions: 1.2.0, 1.2.1, 1.2.2, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 4.0.0, 4.0.1