SS-2013-008: XSS in form validation errors

Severity:
Low (?)
Identifier:
 
SS-2013-008
Versions Affected:
 
3.0.6,3.1.0
Versions Fixed:
 
3.0.7,3.1.0-rc3
Release Date:
 
2013-09-24

The CMS allows for user feedback through custom messages generated by form or form field validation. If these messages incorporate user-provided data such as quoting a wrongly formatted value, it can lead to cross-site scripting. Usually validation messages prevent form saving, so the malicious input is usually not persisted, nor accessible for other users. But since Form->sessionMessage() can also be used to pass success messages to the user, this can lead to persisted malicious input in rare cases where stored data is used to compose this message.

Form and form field messages are assumed to be plain text, and escaped by default. 

Reported by Vulnerability Laboratory Evolution

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.