Skip to content

Improper Handling of User Input - Cross-Site Scripting (Stored)

High
lozcalver published GHSA-38h6-gmr2-j4wx Apr 3, 2023

Package

composer andrewhaine/silverstripe-form-capture (Composer)

Affected versions

0.2.0-0.2.3, 1.0.0-1.0.1, 2.0.0-2.2.4

Patched versions

1.0.2, 1.1.0, 2.2.5
composer bigfork/silverstripe-form-capture (Composer)
3.0.0-3.1.0
3.1.1

Description

Impact

Improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack

Patches

The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1.

Workarounds

There are no known workarounds for this vulnerability.

Credit

Credit to Thomas McClymont for discovering this vulnerability.

Severity

High

CVE ID

CVE-2023-28851

Weaknesses

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.

Credits