CVE-2019-19325 XSS through non-scalar FormField attributes
- Important (?)
- Versions Affected:
- Versions Fixed:
- silverstripe/framework:4.4.5, silverstripe/framework:4.5.2
- Release Date:
The vulnerability is known to apply in at least the following cases:
- The login form provided by Silverstripe. When the login form is used with Multi Factor Authentication (MFA), the attack complexity for phishing increases, and is mitigated by using security keys such as Yubikey as an unphishable token.
- Forms which are configured to populate field values based on request parameters. This usually happens via setting the
$valueon a FormField instance during construction of the form, or by loading request data via
- Forms which have form validation applied through
RequiredFields, and opt-out of using CSRF tokens via
disableSecurityToken(). In this case, the vulnerability is more impactful if the form is also configured to accept GET submissions, rather than the default of POST submissions.
The vulnerability has not identified on forms created through the
Base CVSS: 7.5
Reported by: Ed Chipman, Senior Solutions Architect, Webbuilders Group