Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2019-19325 XSS through non-scalar FormField attributes

Severity:
High (?)
Identifier:
CVE-2019-19325
Versions Affected:
silverstripe/framework:^4.3.0
Versions Fixed:
silverstripe/framework:4.4.5, silverstripe/framework:4.5.2
Release Date:
2020-02-17

Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways.

The vulnerability is known to apply in at least the following cases:

The vulnerability has not identified on forms created through the silverstripe/userforms module.

Base CVSS: 7.5

CWP CVSS: 0.0

Reported by: Ed Chipman, Senior Solutions Architect, Webbuilders Group