Headline
GHSA-97jm-g33h-f46g: silverstripe/framework ReadOnly transformation for formfields exploitable
Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.
SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn’t overwrite data on form construction.
Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn’t make it into the database unless you are accessing form values directly in your saving logic.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-97jm-g33h-f46g
silverstripe/framework ReadOnly transformation for formfields exploitable
Moderate severity GitHub Reviewed Published May 23, 2024 to the GitHub Advisory Database • Updated May 23, 2024
Package
composer silverstripe/framework (Composer)
Affected versions
< 3.1.21
>= 3.2.0, < 3.2.6
>= 3.3.0, < 3.3.4
>= 3.4.0, < 3.4.2
Patched versions
3.1.21
3.2.6
3.3.4
3.4.2
Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.
SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn’t overwrite data on form construction.
Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn’t make it into the database unless you are accessing form values directly in your saving logic.
References
- silverstripe/silverstripe-framework@8336cb9
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-010-1.yaml
- https://www.silverstripe.org/download/security-releases/ss-2016-010
Published to the GitHub Advisory Database
May 23, 2024
Last updated
May 23, 2024