Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2016-013: Member.Name isn't escaped

Severity:
Low (?)
Identifier:
ss-2016-013
Versions Affected:
3.1.19, 3.2.4, 3.3.2. 3.4.0
Versions Fixed:
3.1.20, 3.2.5, 3.3.3. 3.4.1
Release Date:
2016-08-15

The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name".

If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

Credit to Matt Peel for reporting.