Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-004: SQL injection in SiteTree with custom URLSegmentFilter rules

Severity:
Low (?)
Identifier:
SS-2014-004
Versions Affected:
3.1.3, 3.0.9, and all versions before
Versions Fixed:
3.1.4, 3.0.10
Release Date:
2014-04-01

When a developer removes the default URLSegmentFilter rule, the CMS backend is vulnerable to SQL Injection, as apostrophes are not removed.

The change will make sure the URL is always escaped, regardless of the URL filters.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and submitting a patch.