silverstripe/framework's `Member.Name` is not escaped

The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name".

If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-r9vp-fp72-xgf7
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.1.9-rc1	3.1.20
silverstripe / framework	3.2.4-rc1	3.2.5
silverstripe / framework	3.3.2-rc1	3.3.3
silverstripe / framework	3.4.0-rc1	3.4.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-013-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/281b0de571fe0ae159ac47891c02acf2214fa619
https://github.com/silverstripe/silverstripe-framework/commit/6817c57f64b9eb2b271b81662cd83b074a3daee4
https://github.com/silverstripe/silverstripe-framework/commit/83e3302c0425d9b0e4fe42e82e3df03379f4dca5
https://github.com/silverstripe/silverstripe-framework/commit/8bbf1caae665a07b3e44e8d5d32556a03d38c296
https://www.silverstripe.org/download/security-releases/ss-2016-013

Vulnerability Database

silverstripe/framework's `Member.Name` is not escaped