GHSA-mqf3-qpc3-g26q: Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message
[!IMPORTANT] This vulnerability only affects sites which are in the “dev” environment mode. If your production website is in “dev” mode, it has been misconfigured, and you should immediately swap it to “live” mode. See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information.
If a website has been set to the “dev” environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.
References
- github.com/advisories/GHSA-mqf3-qpc3-g26q
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/a555dad4ec73c929f6316bcb4019eb325a5b77d8
- github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-mqf3-qpc3-g26q
- www.silverstripe.org/download/security-releases/ss-2024-002
Code Behaviors & Features
Detect and mitigate GHSA-mqf3-qpc3-g26q with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →