Silverstripe framework is vulnerable to XSS in install.php
Moderate severity
GitHub Reviewed
Published
May 23, 2024
to the GitHub Advisory Database
•
Updated May 23, 2024
Package
Affected versions
>= 3.1.0, < 3.1.14
Patched versions
3.1.14
Description
Published to the GitHub Advisory Database
May 23, 2024
Reviewed
May 23, 2024
Last updated
May 23, 2024
During installation, certain parameters (admin_username and admin_password) are not escaped in the setup form.
This issue is resolved in 3.1.14 stable, although existing users are advised to remove this file prior to deploying to a production server.
References