Search for vulnerabilities
| Vulnerability ID | VCID-wvkf-cwf2-ykg1 |
| Aliases |
GHSA-r32j-mr8p-hfp8
|
| Summary | Silverstripe XSS in TreeDropdownField and TreeMultiSelectField A cross-site scripting vulnerability has been discovered in the TreeDropdownField and TreeMultiSelectField. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the dataobjects used as a data source for either of these fields. This has been resolved by ensuring that all dataobjects used as a data source have their content safely encoded. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-r32j-mr8p-hfp8 |
| cvssv3.1 | 6.1 | https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-004-1.yaml |
| generic_textual | MODERATE | https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-004-1.yaml |
| cvssv3.1 | 6.1 | https://github.com/silverstripe/silverstripe-framework |
| generic_textual | MODERATE | https://github.com/silverstripe/silverstripe-framework |
| cvssv3.1 | 6.1 | https://github.com/silverstripe/silverstripe-framework/commit/89c14d079d3a130d6c4029af596262528ce53925 |
| generic_textual | MODERATE | https://github.com/silverstripe/silverstripe-framework/commit/89c14d079d3a130d6c4029af596262528ce53925 |
| cvssv3.1 | 6.1 | https://www.silverstripe.org/software/download/security-releases/ss-2015-004 |
| generic_textual | MODERATE | https://www.silverstripe.org/software/download/security-releases/ss-2015-004 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-29T08:47:00.659374+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-r32j-mr8p-hfp8/GHSA-r32j-mr8p-hfp8.json | 38.6.0 |