{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19452?format=json","vulnerability_id":"VCID-116r-5a94-fuds","summary":"Silverstripe admin XSS Vulnerability via WYSIWYG editor\nIt is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript.","aliases":[{"alias":"GHSA-779c-7w4p-2c4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60549?format=json","purl":"pkg:composer/silverstripe/admin@1.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a2ds-v3du-3qcm"},{"vulnerability":"VCID-k6d6-ebmd-jufu"},{"vulnerability":"VCID-kfgu-7y1x-vugs"},{"vulnerability":"VCID-pq29-qe7h-tkcp"},{"vulnerability":"VCID-r237-7hnx-kbeq"},{"vulnerability":"VCID-tc2y-zrea-vyb2"},{"vulnerability":"VCID-udzs-xehs-d3cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/admin@1.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/60550?format=json","purl":"pkg:composer/silverstripe/admin@1.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a2ds-v3du-3qcm"},{"vulnerability":"VCID-k6d6-ebmd-jufu"},{"vulnerability":"VCID-kfgu-7y1x-vugs"},{"vulnerability":"VCID-pq29-qe7h-tkcp"},{"vulnerability":"VCID-r237-7hnx-kbeq"},{"vulnerability":"VCID-tc2y-zrea-vyb2"},{"vulnerability":"VCID-udzs-xehs-d3cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/admin@1.1.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145569?format=json","purl":"pkg:composer/silverstripe/admin@1.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-116r-5a94-fuds"},{"vulnerability":"VCID-a2ds-v3du-3qcm"},{"vulnerability":"VCID-k6d6-ebmd-jufu"},{"vulnerability":"VCID-kfgu-7y1x-vugs"},{"vulnerability":"VCID-pq29-qe7h-tkcp"},{"vulnerability":"VCID-r237-7hnx-kbeq"},{"vulnerability":"VCID-tc2y-zrea-vyb2"},{"vulnerability":"VCID-udzs-xehs-d3cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/admin@1.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/145568?format=json","purl":"pkg:composer/silverstripe/admin@1.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-116r-5a94-fuds"},{"vulnerability":"VCID-a2ds-v3du-3qcm"},{"vulnerability":"VCID-k6d6-ebmd-jufu"},{"vulnerability":"VCID-kfgu-7y1x-vugs"},{"vulnerability":"VCID-pq29-qe7h-tkcp"},{"vulnerability":"VCID-r237-7hnx-kbeq"},{"vulnerability":"VCID-tc2y-zrea-vyb2"},{"vulnerability":"VCID-udzs-xehs-d3cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/admin@1.1.0"}],"references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/SS-2018-004-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/SS-2018-004-1.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-admin","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-admin"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2018-004","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2018-004"},{"reference_url":"https://github.com/advisories/GHSA-779c-7w4p-2c4g","reference_id":"GHSA-779c-7w4p-2c4g","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-779c-7w4p-2c4g"}],"weaknesses":[{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"0.1 - 3.8","exploitability":"0.5","weighted_severity":"3.4","risk_score":1.7,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-116r-5a94-fuds"}