GHSA-frm9-7pm9-5rgc: SilverStripe comments module includes version of jQuery vulnerable to Cross-site Scripting

May 27, 2024

The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.

CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/comments/SS-2018-015-1.yaml
github.com/advisories/GHSA-frm9-7pm9-5rgc
github.com/silverstripe/silverstripe-comments
www.silverstripe.org/download/security-releases/ss-2018-015

Code Behaviors & Features

Detect and mitigate GHSA-frm9-7pm9-5rgc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →