silverstripe/framework vulnerable to Cross-site Scripting In `OptionsetField` and `CheckboxSetField`
List of key / value pairs assigned to OptionsetField or CheckboxSetField do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
3.1.19-rc1 | 3.1.20 |
|
silverstripe / framework
|
3.2.4-rc1 | 3.2.5 |
|
silverstripe / framework
|
3.3.2-rc1 | 3.3.3 |
|
silverstripe / framework
|
3.4.0-rc1 | 3.4.1 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-015-1.yaml
- https://github.com/silverstripe/silverstripe-framework/commit/049cdefacfd3122d59d5488c1317f999fe8aacc4
- https://github.com/silverstripe/silverstripe-framework/commit/12a6b357e761f09d818fd0013eb2d85014de79a0
- https://github.com/silverstripe/silverstripe-framework/commit/62a242154ec3508fe9b174a40713c8520ac1684c
- https://github.com/silverstripe/silverstripe-framework/commit/b0ba2015d9684ee7b124dafcf6b59b046e20f8ed
- https://www.silverstripe.org/download/security-releases/ss-2016-015
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime