GHSA-r9vp-fp72-xgf7: silverstripe/framework's `Member.Name` is not escaped
The core template framework/templates/Includes/GridField_print.ss uses “Printed by $Member.Name”.
If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-013-1.yaml
- github.com/advisories/GHSA-r9vp-fp72-xgf7
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/281b0de571fe0ae159ac47891c02acf2214fa619
- github.com/silverstripe/silverstripe-framework/commit/6817c57f64b9eb2b271b81662cd83b074a3daee4
- github.com/silverstripe/silverstripe-framework/commit/83e3302c0425d9b0e4fe42e82e3df03379f4dca5
- github.com/silverstripe/silverstripe-framework/commit/8bbf1caae665a07b3e44e8d5d32556a03d38c296
- www.silverstripe.org/download/security-releases/ss-2016-013
Code Behaviors & Features
Detect and mitigate GHSA-r9vp-fp72-xgf7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →