{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54997?format=json","vulnerability_id":"VCID-f4hv-79km-3ygt","summary":"Silverstripe Cross-site scripting vulnerability in VersionedRequestFilter\nA cross-site scripting vulnerability in VersionedRequestFilter has been found.\n\nIf an incoming user request should not be able to access the requested stage, an error message is created for display on the CMS login page that they are redirected to. In this error message, the URL of the requested page is interpolated into the error message without being escaped; hence, arbitrary HTML can be injected into the CMS login page.","aliases":[{"alias":"GHSA-mpqj-f4v3-334h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52857?format=json","purl":"pkg:composer/silverstripe/framework@3.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1mmc-91gk-r3d3"},{"vulnerability":"VCID-36z3-nafq-6kez"},{"vulnerability":"VCID-3x46-q9cb-7ubg"},{"vulnerability":"VCID-7hxq-cp29-r7dh"},{"vulnerability":"VCID-b6nm-cphj-wfgw"},{"vulnerability":"VCID-b95v-49p7-fkas"},{"vulnerability":"VCID-c6bz-jwhm-vkgp"},{"vulnerability":"VCID-cmwn-cjff-9qau"},{"vulnerability":"VCID-hnme-cqff-c7dp"},{"vulnerability":"VCID-mkex-ht2r-cucz"},{"vulnerability":"VCID-nute-ndg2-z7ev"},{"vulnerability":"VCID-qdwg-f2bx-1bay"},{"vulnerability":"VCID-r1eg-dwej-5kau"},{"vulnerability":"VCID-t81f-5b8z-hyht"},{"vulnerability":"VCID-umhc-fdfh-1fdx"},{"vulnerability":"VCID-xg74-3h1h-kqaf"},{"vulnerability":"VCID-y8et-m846-2fc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.3"},{"url":"http://public2.vulnerablecode.io/api/packages/52858?format=json","purl":"pkg:composer/silverstripe/framework@3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1mmc-91gk-r3d3"},{"vulnerability":"VCID-36z3-nafq-6kez"},{"vulnerability":"VCID-3x46-q9cb-7ubg"},{"vulnerability":"VCID-7hxq-cp29-r7dh"},{"vulnerability":"VCID-b6nm-cphj-wfgw"},{"vulnerability":"VCID-b95v-49p7-fkas"},{"vulnerability":"VCID-c6bz-jwhm-vkgp"},{"vulnerability":"VCID-cmwn-cjff-9qau"},{"vulnerability":"VCID-hnme-cqff-c7dp"},{"vulnerability":"VCID-mkex-ht2r-cucz"},{"vulnerability":"VCID-nute-ndg2-z7ev"},{"vulnerability":"VCID-qdwg-f2bx-1bay"},{"vulnerability":"VCID-r1eg-dwej-5kau"},{"vulnerability":"VCID-t81f-5b8z-hyht"},{"vulnerability":"VCID-umhc-fdfh-1fdx"},{"vulnerability":"VCID-xg74-3h1h-kqaf"},{"vulnerability":"VCID-y8et-m846-2fc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52691?format=json","purl":"pkg:composer/silverstripe/framework@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1mmc-91gk-r3d3"},{"vulnerability":"VCID-36z3-nafq-6kez"},{"vulnerability":"VCID-3svb-wudn-aybz"},{"vulnerability":"VCID-3x46-q9cb-7ubg"},{"vulnerability":"VCID-7ek4-6y31-1qcs"},{"vulnerability":"VCID-7hxq-cp29-r7dh"},{"vulnerability":"VCID-at1s-qxsg-5yfs"},{"vulnerability":"VCID-b6nm-cphj-wfgw"},{"vulnerability":"VCID-b95v-49p7-fkas"},{"vulnerability":"VCID-c437-w2zy-y7c9"},{"vulnerability":"VCID-c6bz-jwhm-vkgp"},{"vulnerability":"VCID-cmwn-cjff-9qau"},{"vulnerability":"VCID-ewg1-jqza-eyez"},{"vulnerability":"VCID-f4hv-79km-3ygt"},{"vulnerability":"VCID-gkkp-9fm7-jfaz"},{"vulnerability":"VCID-hnme-cqff-c7dp"},{"vulnerability":"VCID-mkex-ht2r-cucz"},{"vulnerability":"VCID-nute-ndg2-z7ev"},{"vulnerability":"VCID-qdwg-f2bx-1bay"},{"vulnerability":"VCID-r1eg-dwej-5kau"},{"vulnerability":"VCID-t81f-5b8z-hyht"},{"vulnerability":"VCID-umhc-fdfh-1fdx"},{"vulnerability":"VCID-xg74-3h1h-kqaf"},{"vulnerability":"VCID-y8et-m846-2fc6"},{"vulnerability":"VCID-z28b-1yrx-1bbn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/81579?format=json","purl":"pkg:composer/silverstripe/framework@3.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1mmc-91gk-r3d3"},{"vulnerability":"VCID-36z3-nafq-6kez"},{"vulnerability":"VCID-3svb-wudn-aybz"},{"vulnerability":"VCID-3x46-q9cb-7ubg"},{"vulnerability":"VCID-7ek4-6y31-1qcs"},{"vulnerability":"VCID-7hxq-cp29-r7dh"},{"vulnerability":"VCID-9hf4-djcv-67d7"},{"vulnerability":"VCID-at1s-qxsg-5yfs"},{"vulnerability":"VCID-b6nm-cphj-wfgw"},{"vulnerability":"VCID-b95v-49p7-fkas"},{"vulnerability":"VCID-c437-w2zy-y7c9"},{"vulnerability":"VCID-c6bz-jwhm-vkgp"},{"vulnerability":"VCID-cmwn-cjff-9qau"},{"vulnerability":"VCID-ewg1-jqza-eyez"},{"vulnerability":"VCID-f4hv-79km-3ygt"},{"vulnerability":"VCID-gkkp-9fm7-jfaz"},{"vulnerability":"VCID-hnme-cqff-c7dp"},{"vulnerability":"VCID-mkex-ht2r-cucz"},{"vulnerability":"VCID-nute-ndg2-z7ev"},{"vulnerability":"VCID-qdwg-f2bx-1bay"},{"vulnerability":"VCID-r1eg-dwej-5kau"},{"vulnerability":"VCID-t81f-5b8z-hyht"},{"vulnerability":"VCID-umhc-fdfh-1fdx"},{"vulnerability":"VCID-xg74-3h1h-kqaf"},{"vulnerability":"VCID-y8et-m846-2fc6"},{"vulnerability":"VCID-z28b-1yrx-1bbn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.4.0"}],"references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-007-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-007-1.yaml"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/3fa84cf0c64a539d78600c36364817a8e38411d8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/3fa84cf0c64a539d78600c36364817a8e38411d8"},{"reference_url":"https://github.com/silverstripe/silverstripe-framework/commit/41be95c95a55031412ee4056aeee5c2c69595836","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/silverstripe/silverstripe-framework/commit/41be95c95a55031412ee4056aeee5c2c69595836"},{"reference_url":"https://www.silverstripe.org/download/security-releases/ss-2016-007","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.silverstripe.org/download/security-releases/ss-2016-007"},{"reference_url":"https://github.com/advisories/GHSA-mpqj-f4v3-334h","reference_id":"GHSA-mpqj-f4v3-334h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mpqj-f4v3-334h"}],"weaknesses":[{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f4hv-79km-3ygt"}