GHSA-g5vj-wj9x-4jg9

Suggest an improvement
Source
https://github.com/advisories/GHSA-g5vj-wj9x-4jg9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g5vj-wj9x-4jg9/GHSA-g5vj-wj9x-4jg9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-g5vj-wj9x-4jg9
Published
2024-05-29T18:53:48Z
Modified
2024-12-04T05:40:22.276580Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
symbiote/silverstripe-multivaluefield Possible PHP Object Injection via Multi-Value Field Extension
Details

A potential deserialisation vulnerability has been identified in the symbiote/silverstripe-multivaluefield which could allow an attacker to exploit implementations of this module via object injection.

Support for handling PHP objects as values in this module has been deprecated, and the serialisation technique has been switched to using JSON for handling arrays.

As well as this, a potential XSS (cross-site scripting) vulnerability has been identified and remediated.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-74",
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-29T18:53:48Z"
}
References

Affected packages

Packagist / symbiote/silverstripe-multivaluefield

Package

Name
symbiote/silverstripe-multivaluefield
Purl
pkg:composer/symbiote/silverstripe-multivaluefield

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.0

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5