silverstripe/framework code execution vulnerability

There is a vulnerability whereby arbitrary global functions may be executed if malicious user input is passed through to in the second argument of ViewableData::renderWith. This argument resolves associative arrays as template placeholders. This exploit requires that user code has been written which makes use of the second argument in renderWith and where user input is passed directly as a value in an associative array without sanitisation such as Convert::raw2xml().

ViewableData::customise is not vulnerable.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-vgxh-x8jv-hmff
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
silverstripe / framework	4.0.3-rc1	4.0.4
silverstripe / framework	4.1.0-rc1	4.1.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-006-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/6f50728b185e62c0087a58b295a015cb13276911
https://www.silverstripe.org/download/security-releases/ss-2018-006

Vulnerability Database

silverstripe/framework code execution vulnerability