CVE-2021-27938 XSS in CreateQueuedJobTask
- Important (?)
- Versions Affected:
- symbiote/silverstripe-queuedjobs: ^3.0.0, ^4.0.0
- Versions Fixed:
- symbiote/silverstripe-queuedjobs: 3.0.2, 3.1.4, 4.0.7, 4.1.2, 4.2.4, 4.3.3, 4.4.3, 4.5.1, 4.6.4
- Release Date:
A high severity security vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module, which is a popular optional module used to manage dev tasks in the CMS UI for the Silverstripe CMS. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.
The corresponding releases contains a fix. We recommend reviewing the impact it may have on your site(s) and upgrading as soon as possible.
Base CVSS: 7.1
CWP CVSS: 7.1
Reporters: Michael Tsai from ZX Security