SS-2013-009: XSS in CMS "Pages" section

Severity:
Low (?)
Identifier:
 
SS-2013-009
Versions Affected:
 
3.0,3.1
Versions Fixed:
 
3.0.7,3.1.0-rc3
Release Date:
 
2013-09-24

The "Insert Link" dropdown and "Dependent Pages" list in the "Pages" CMS section are vulnerable to persistent cross-site scripting, through the SiteTree.Title attribute. This form of attack requires a CMS login by a malicious third party, and can lead to executing authenticated requests on behalf of the CMS user victim. 

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.