CVE-2011-4958 Information
Description
Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders as demonstrated by a request to (1) admin/reports/ (2) admin/comments/ (3) admin/ (4) admin/show/ (5) admin/assets/ and (6) admin/security/.
Reference
http://doc.silverstripe.org/sapphire/en/trunk/changelogs/2.3.12 http://doc.silverstripe.org/sapphire/en/trunk/changelogs/2.4.6 http://osvdb.org/76258 http://secunia.com/advisories/46390 http://www.rul3z.de/advisories/SSCHADV2011-024.txt http://www.securityfocus.com/archive/1/520050/100/0/threaded https://github.com/silverstripe/sapphire/commit/16c3235 https://github.com/silverstripe/sapphire/commit/52a895f https://github.com/silverstripe/sapphire/commit/bdd6391
Share on: