Silverstripe XSS in dev/build returnURL Parameter
Moderate severity
GitHub Reviewed
Published
May 23, 2024
to the GitHub Advisory Database
•
Updated May 23, 2024
Description
Published to the GitHub Advisory Database
May 23, 2024
Reviewed
May 23, 2024
Last updated
May 23, 2024
A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site.
This issue is resolved in framework 3.1.14 stable release.
References