Silverstripe XSS in TreeDropdownField and TreeMultiSelectField
Moderate severity
GitHub Reviewed
Published
May 23, 2024
to the GitHub Advisory Database
Package
Affected versions
>= 3.1.0, <= 3.1.9
Patched versions
3.1.10
Description
Published to the GitHub Advisory Database
May 23, 2024
Reviewed
May 23, 2024
A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField.
This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields.
This has been resolved by ensuring that all dataobjects used as a data source have their content safely encoded.
References