Silverstripe XSS In rewritten hash links

A high level XSS vulnerability has been discovered in the SilverStripe framework which causes links containing hash anchors (E.g. href="#anchor") to be rewritten in an unsafe way.

The rewriteHashlinks option on SSViewer will rewrite these to contain the current url, although without adequate escaping, meaning that HTML could be injected via injecting unsafe values to any page via the querystring.

Due to the nature of this issue it is likely that a large number of SilverStripe sites are affected.

Published: May 23, 2024
Updated: Jun 27, 2024
GHSA: GHSA-34q6-xqxh-gq39
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
silverstripe / framework	-	3.0.13
silverstripe / framework	3.1.0	3.1.12

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-009-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/604c32871202064a4aa12c3b3fd58140231685e5
https://github.com/silverstripe/silverstripe-framework/commit/bdef4fc7a548c7c243ff86f2db7c16f301a6f120
https://www.silverstripe.org/software/download/security-releases/ss-2015-009-xss-in-rewritten-hash-links

Vulnerability Database

Silverstripe XSS In rewritten hash links