Search for vulnerabilities
| Vulnerability ID | VCID-4qq2-bbj1-8fdb |
| Aliases |
GHSA-mqf3-qpc3-g26q
|
| Summary | Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message > [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/) |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1 | 0.0 | https://github.com/silverstripe/silverstripe-framework |
| generic_textual | LOW | https://github.com/silverstripe/silverstripe-framework |
| cvssv3.1 | 0.0 | https://github.com/silverstripe/silverstripe-framework/commit/a555dad4ec73c929f6316bcb4019eb325a5b77d8 |
| generic_textual | LOW | https://github.com/silverstripe/silverstripe-framework/commit/a555dad4ec73c929f6316bcb4019eb325a5b77d8 |
| cvssv3.1 | 0.0 | https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-mqf3-qpc3-g26q |
| generic_textual | LOW | https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-mqf3-qpc3-g26q |
| cvssv3.1 | 0.0 | https://www.silverstripe.org/download/security-releases/ss-2024-002 |
| generic_textual | LOW | https://www.silverstripe.org/download/security-releases/ss-2024-002 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-31T11:00:18.387251+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-mqf3-qpc3-g26q/GHSA-mqf3-qpc3-g26q.json | 38.6.0 |