Silverstripe XSS in Director::force_redirect()
Moderate severity
GitHub Reviewed
Published
May 23, 2024
to the GitHub Advisory Database
•
Updated May 23, 2024
Package
Affected versions
>= 3.1.0, < 3.1.12
Patched versions
3.1.12
Description
Published to the GitHub Advisory Database
May 23, 2024
Reviewed
May 23, 2024
Last updated
May 23, 2024
A low level XSS vulnerability has been found in the Framework affecting http redirection via the Director::force_redirect method.
Attempts to redirect to a url may generate HTML which is not safely escaped, and may pose a risk of XSS in some environments.
This vulnerability is marked low as it is difficult to exploit, as any injected HTML will only be returned from the server if the Location HTTP header is also sent, meaning that any user browsing the site would not be exposed to the body of the response before their browser redirects them.
References