GHSA-jqp8-v74p-g8px

Suggest an improvement
Source
https://github.com/advisories/GHSA-jqp8-v74p-g8px
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jqp8-v74p-g8px/GHSA-jqp8-v74p-g8px.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jqp8-v74p-g8px
Published
2024-05-23T16:48:11Z
Modified
2024-11-28T05:44:29.706721Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Silverstripe XSS in Director::force_redirect()
Details

A low level XSS vulnerability has been found in the Framework affecting http redirection via the Director::force_redirect method.

Attempts to redirect to a url may generate HTML which is not safely escaped, and may pose a risk of XSS in some environments.

This vulnerability is marked low as it is difficult to exploit, as any injected HTML will only be returned from the server if the Location HTTP header is also sent, meaning that any user browsing the site would not be exposed to the body of the response before their browser redirects them.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T16:48:11Z"
}
References

Affected packages

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.12

Affected versions

3.*

3.1.0
3.1.1
3.1.2-rc1
3.1.2
3.1.3-rc1
3.1.3-rc2
3.1.3
3.1.4-rc1
3.1.4
3.1.5-rc1
3.1.5
3.1.6-rc1
3.1.6-rc2
3.1.6-rc3
3.1.6
3.1.7-rc1
3.1.7
3.1.8
3.1.9-rc1
3.1.9
3.1.10-rc1
3.1.10-rc2
3.1.10
3.1.11-rc1
3.1.11