SS-2016-013: Member.Name isn't escaped
The core template framework/templates/Includes/GridField_print.ss
uses “Printed by $Member.Name”. If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName()
just returns the raw FirstName + Surname
as a string, which is injected directly.
References
Detect and mitigate SS-2016-013 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →