HAWKI version 1.0.0-beta.1 before commit 146967f suffers from cross site scripting, arbitrary file overwrite, and session fixation vulnerabilities.

  SEC Consult Vulnerability Lab Security Advisory < 20240527-0 >  
=======================================================================  
               title: Multiple vulnerabilities  
             product: HAWKI (Interaction Design Team at the University of Applied  
                      Sciences and Arts in Hildesheim/Germany)  
  vulnerable version: 1.0.0-beta.1, versions before commit 146967f  
       fixed version: Github commit 146967f  
          CVE number: CVE-2024-25975, CVE-2024-25976, CVE-2024-25977  
              impact: high  
            homepage: https://github.com/HAWK-Digital-Environments/HAWKI  
               found: 2024-03-05  
                  by: Florian Stuhlmann (Office Bochum)  
                      Thorger Jansen (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"HAWKI is a didactic interface for universities based on the OpenAI API.  
It is not necessary for users to create an account, the university ID  
is sufficient for login - no user-related data is stored."

Source: https://github.com/HAWK-Digital-Environments/HAWKI

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Overwrite (CVE-2024-25975)  
The application implements an up- and downvote function which alters a  
value within a JSON file. The POST parameters are not filtered properly  
and therefore an arbitrary file can be overwritten. The file can be  
controlled by an authenticated attacker, the content cannot be controlled.  
It is possible to overwrite all files for which the webserver has write access.  
It is required to supply a relative path (path traversal).

2) Reflected Cross-Site-Scripting (CVE-2024-25976)  
When LDAP authentication is activated in the configuration it is possible  
to obtain reflected XSS execution by creating a custom URL that the  
victim only needs to open in order to execute arbitrary JavaScript code in  
the victim's browser.

3) Session Fixation (CVE-2024-25977)  
The application does not change the session token when using the login or  
logout functionality. An attacker can set a session token in the victim's  
browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect  
to the login page). This results in the victim's account being taken over.

Proof of concept:  
-----------------  
1) Arbitrary File Overwrite (CVE-2024-25975)  
The following POST request can overwrite the file "AvatarFinanzen.png". This  
file is a default file located within the "img" folder.

---  
POST /downvote.php HTTP/2  
Host: $host  
Cookie: PHPSESSID=<Session Id>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 25

../img/AvatarFinanzen.png  
---

Both upvote.php and downvote.php are vulnerable. The vulnerable part in  
downvote.php is:

---  
[...]  
  $id = file_get_contents("php://input");  
  $sanitizedId = htmlspecialchars($id, ENT_QUOTES, 'UTF-8');  
  $file = "feedback/" . $sanitizedId;  
[...]  
  file_put_contents("feedback/$sanitizedId", json_encode($json));  
[...]  
---

2) Reflected Cross-Site-Scripting (XSS) (CVE-2024-25976)  
A call to the following URL will trigger an alertbox:

---  
https://$host/HAWKI/login.php/"><script>alert(document.cookie)</script>  
---

This is due to a fault in the file login.php where the content of  
"$_SERVER['PHP_SELF']" is reflected into the HTML of the website. Hence  
the attacker does not need a valid account in order to exploit this issue  
The following code is vulnerable:

---  
[...]  
  $server = $_SERVER['PHP_SELF'];  
[...]  
  echo '<form action = "' . $server . '" class="column" method = "post" >  
[...]  
---

The vulnerability is exploitable with the Apache2 default configuration.  
For other webservers, the vulnerability might not be exploitable.

3) Session Fixation (CVE-2024-25977)  
The attacker changes the value of PHPSESSID within the victim's browser to  
something like "abc". An attacker with the same value for PHPSESSID is now  
authenticated as well after the victim uses successfully logs in.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 1.0.0-beta.1

Vendor contact timeline:  
------------------------  
2024-03-21: Contacting vendor through email referenced on Github  
2024-03-22: Asking about email encryption, sending report unencrypted  
             as requested.  
2024-04-17: Asked the vendor again to receive details regarding the timeline.  
2024-04-18: Vendor provides a patch pushed to the public repository.  
2024-05: Fix verification phase.  
2024-05-27: Release of security advisory.

Solution:  
---------  
The vendor provides a patch which can be downloaded from  
https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1

Workaround:  
-----------  
No workaround available.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Florian Stuhlmann & Thorger Jansen / @2024

HAWKI 1.0.0-beta.1 XSS / File Overwrite / Session Fixation

Ubuntu Security Notice 6788-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

==========================================================================  
Ubuntu Security Notice USN-6788-1  
May 28, 2024

webkit2gtk vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:  
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript  
engines. If a user were tricked into viewing a malicious website, a remote  
attacker could exploit a variety of issues related to web browser security,  
including cross-site scripting attacks, denial of service attacks, and  
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   libjavascriptcoregtk-4.1-0      2.44.2-0ubuntu0.24.04.1  
   libjavascriptcoregtk-6.0-1      2.44.2-0ubuntu0.24.04.1  
   libwebkit2gtk-4.1-0             2.44.2-0ubuntu0.24.04.1  
   libwebkitgtk-6.0-4              2.44.2-0ubuntu0.24.04.1

Ubuntu 23.10  
   libjavascriptcoregtk-4.0-18     2.44.2-0ubuntu0.23.10.1  
   libjavascriptcoregtk-4.1-0      2.44.2-0ubuntu0.23.10.1  
   libjavascriptcoregtk-6.0-1      2.44.2-0ubuntu0.23.10.1  
   libwebkit2gtk-4.0-37            2.44.2-0ubuntu0.23.10.1  
   libwebkit2gtk-4.1-0             2.44.2-0ubuntu0.23.10.1  
   libwebkitgtk-6.0-4              2.44.2-0ubuntu0.23.10.1

Ubuntu 22.04 LTS  
   libjavascriptcoregtk-4.0-18     2.44.2-0ubuntu0.22.04.1  
   libjavascriptcoregtk-4.1-0      2.44.2-0ubuntu0.22.04.1  
   libjavascriptcoregtk-6.0-1      2.44.2-0ubuntu0.22.04.1  
   libwebkit2gtk-4.0-37            2.44.2-0ubuntu0.22.04.1  
   libwebkit2gtk-4.1-0             2.44.2-0ubuntu0.22.04.1  
   libwebkitgtk-6.0-4              2.44.2-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any applications  
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6788-1  
   CVE-2024-27834

Package Information:  
   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.24.04.1  
   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.22.04.1

Ubuntu Security Notice USN-6788-1

Police are using subtle psychological operations against ransomware gangs to sow distrust in their ranks—and trick them into emerging from the shadows.

Russian cybercriminals are almost untouchable. For years, hackers based in the country have launched devastating ransomware attacks against hospitals, critical infrastructure, and businesses, causing billions in losses. But they’re out of reach of Western law enforcement and largely ignored by the Russian authorities. When police do take the criminals’ servers and websites offline, they’re often back hacking within weeks.

Now investigators are increasingly adding a new dimension to their disruption playbook: messing with cybercriminals’ minds. To put it bluntly, they’re trolling the hackers.

In recent months, Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem. These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched.

“We’re never going to get to the kernel of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, then that's a good thing,” says Don Smith, vice president of threat research at security firm Secureworks. “All of these little things, which in themselves may not be a killer blow, they all add friction,” he says. “You can look for cracks, amplify them, and create further discord and mistrust so it slows down what the bad guys are doing.”

Take Operation Cronos. In February, a global law enforcement operation, led by the UK’s National Crime Agency (NCA), infiltrated the LockBit ransomware group, which authorities say has extorted more than $500 million from victims, and took its systems offline. Investigators at the NCA redesigned LockBit’s leak website, where it published its victims’ stolen data, and used the site to publish LockBit’s inner workings.

Demonstrating the control and data they had, law enforcement published images of LockBit’s administration system and internal conversations. Investigators also published the usernames and login details of 194 LockBit “affiliate” members. This was expanded in May to include the members’ surnames.

The policing operation also teased the unveiling of “LockBitSupp,” the mastermind behind the group, and said they had been “engaging” with law enforcement. Russian national Dmitry Yuryevich Khoroshev was charged with running LockBit in May, following a multiday countdown clock being published on the seized LockBit website and bold graphics naming him as the group’s organizer.

“LockBit prided itself on its brand and anonymity, valuing these things above anything else," says Paul Foster, director of threat leadership at the NCA. “Our operation has shattered that anonymity and completely undermined the brand, driving cybercriminals away from using their services.” The NCA says it carefully considered the operation, with its efforts to rebuild LockBit's site leading to the group being widely mocked online and making its brand “toxic” to cybercriminals who had worked with it.

“We recognized that a technical disruption in isolation wouldn’t necessarily destroy LockBit, therefore our additional infiltration and control, alongside arrests and sanctions in partnership with our international partners, has enhanced our impact on LockBit and created a platform for more law enforcement action in the future,” Foster says.

When LockBit members logged in to the group’s administration systems, they received a personalized message saying authorities had gathered their username, cryptocurrency wallet details, internal chats and chats with victims, and IP addresses. As noted by researchers at cybersecurity firm Analyst1, these “psychological tactics” targeted two areas: “brand reputation and interpersonal relationships among actors.”

The efforts go beyond the LockBit takedown. In April, London’s Metropolitan Police disrupted LabHost, a service that allowed scammers to create phishing websites to trick people into handing over their emails and passwords. Around 800 criminal LabHost users were sent personalized video messages by the police detailing “all the data we have about you.” Countries where they targeted victims were included, as well as IP addresses they had used. “We’ve been watching you every time you visited us,” the voiceover in the video says.

“These messages aren't just for the existing participants in the criminal ecosystem,” says Secureworks’ Smith. “These are messages for people who maybe are on the edge of deciding to participate.” Within the sprawling cybercrime ecosystem, there’s not much trust between thieves who can con each other out of millions of dollars, but reinforcing and amplifying the divisions has the potential to make it harder to organize efficient criminal enterprises.

Understanding how much of an impact psychological operations have is difficult, but researchers say the criminals are always watching. Of 194 LockBit affiliates, only 69 have returned to the platform since the law enforcement action in February, the NCA says. The hackers read the news and cybersecurity research, discussing it on Russian-language cybercrime forums, researchers say. The XSS forum has one thread called “Juicy arrests” that has more than 1,000 posts since 2017, says Victoria Kivilevich, director of threat research at security firm KELA, which monitors the cybercriminal underground.

Opinions on the LockBit takedown were divided among XSS users, Kivilevich says. In one post in February, Kivilevich says, a cybercriminal questioned why the group’s leader had not been named or sanctioned at that point. “They have that much information, they must have at least something about him,” a translated post reads. “Or maybe he works with them.” Another urged people not to make memes or joke about the situation. “You understand that at some point this may affect you too,” they wrote.

Kivilevich points to other instances where cybercriminals on forums have become disillusioned or disgruntled by law enforcement targeting some members. When members of the Conti and Trickbot ransomware groups were sanctioned in February 2023, LockBitSupp asked where the sanctions were for the Trickbot leader “Stern” and other high-profile actor “Baddie.” As a further 11 members of Conti and Trickbot were sanctioned in September 2023, days after WIRED named one of the members, a cybercriminal complained that some of those sanctioned “never have had high profiles.” They went on to say there is a feeling of “injustice”: “What was the point of adding fucking managers who didn’t decide much in the business.”

Andréanne Bergeron, director of research at security firm GoSecure who specializes in criminal behavior and police intervention, says there may be two outcomes from naming some criminals and not others. Those that are named may “feel it is unjust to be punished while others go free” and may end up cooperating or working with law enforcement as a result.

Bergeron also says malicious hackers often “crave recognition” for their actions. “When their colleagues receive all the ‘credit,’ even if it includes being sanctioned, these unnamed individuals may feel compelled to reveal themselves to gain recognition,” Bergeron says. “This desire for recognition can drive them to engage in risky behaviors, potentially exposing themselves to authorities in their pursuit of validation.”

While law enforcement may be using some psychological tactics alongside more traditional technical takedowns and sanctions, there’s also scientific research looking at the ways in which cyber psychology can disrupt criminal hackers. The US Intelligence Community's research agency, the Intelligence Advanced Research Projects Activity (Iarpa), has started work on a project to create new cybersecurity defenses by exploiting the human weaknesses of attackers.

Psychology can be used as a way to “understand, anticipate, and influence” the behavior of cyberattackers, says Kimberly Ferguson-Walter, the Iarpa program manager leading the project. The research, which is in its early stages, is looking to build tools and methods to capitalize on the human weaknesses of cybercriminals based on established psychology principles. For instance, if an attacker can be made to feel like they are safe when they are compromising a system, they may engage in riskier behavior and expose themselves.

“If you can deter somebody from attacking your network, that’s about as good as it gets,” Ferguson-Walter says. “I think the more scared or uncertain they are about how the defenses work, the better your odds for doing that are."

Cops Are Just Trolling Cybercriminals Now

Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-c4c3-j73v-634r

**silverstripe/framework has Cross-site Scripting vulnerability in page history comparison**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

**Package**

composer silverstripe/framework (Composer)

**Affected versions**

\>= 3.4.0-rc1, < 3.4.6

\>= 3.5.0-rc1, < 3.5.4

**Patched versions**

3.4.6

3.5.4

**Description**

Published to the GitHub Advisory Database

May 27, 2024

Last updated

May 27, 2024

GHSA-c4c3-j73v-634r: silverstripe/framework has Cross-site Scripting vulnerability in page history comparison

RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-pp7q-6j3f-74vj

**silverstripe/framework has Cross-site Scripting vulnerability in RedirectorPage**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database

**Package**

composer silverstripe/framework (Composer)

**Affected versions**

\>= 3.4.0-rc1, < 3.4.6

\>= 3.5.0-rc1, < 3.5.4

**Patched versions**

3.4.6

3.5.4

**Description**

Published to the GitHub Advisory Database

May 27, 2024

GHSA-pp7q-6j3f-74vj: silverstripe/framework has Cross-site Scripting vulnerability in RedirectorPage

In follow up to [SS-2016-001](https://www.silverstripe.org/download/security-releases/ss-2016-001/) there is yet a minor unresolved fix to incorrectly encoded URL.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-r85g-7jpv-8xrx

**silverstripe/framework has Cross-site Scripting vulnerability in CMSSecurity BackURL**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

**Package**

composer silverstripe/framework (Composer)

**Affected versions**

\>= 3.1.0-rc1, < 3.1.21

\>= 3.2.0-rc1, < 3.2.6

\>= 3.3.0-rc1, < 3.3.4

\>= 3.4.0-rc1, < 3.4.2

**Patched versions**

3.1.21

3.2.6

3.3.4

3.4.2

**Description**

Published to the GitHub Advisory Database

May 27, 2024

Last updated

May 27, 2024

GHSA-r85g-7jpv-8xrx: silverstripe/framework has Cross-site Scripting vulnerability in CMSSecurity BackURL

silverstripe/framework is vulnerable to XSS in Page name where the payload `"><svg/onload=alert(/xss/)>` will trigger an XSS alert.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-hhvj-mcrx-3vcf

**silverstripe/framework has Cross-site Scripting vulnerability in page name**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

**Package**

composer silverstripe/framework (Composer)

**Affected versions**

\>= 3.4.0-rc1, < 3.4.4

\>= 3.5.0-rc1, < 3.5.2

**Patched versions**

3.4.4

3.5.2

**Description**

Published to the GitHub Advisory Database

May 27, 2024

Last updated

May 27, 2024

GHSA-hhvj-mcrx-3vcf: silverstripe/framework has Cross-site Scripting vulnerability in page name

List of key / value pairs assigned to `OptionsetField` or `CheckboxSetField` do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.



Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-468j-6jrc-2rjx

**silverstripe/framework vulnerable to Cross-site Scripting In \`OptionsetField\` and \`CheckboxSetField\`**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

**Package**

composer silverstripe/framework (Composer)

**Affected versions**

\>= 3.1.19-rc1, < 3.1.20

\>= 3.2.4-rc1, < 3.2.5

\>= 3.3.2-rc1, < 3.3.3

\>= 3.4.0-rc1, < 3.4.1

**Patched versions**

3.1.20

3.2.5

3.3.3

3.4.1

**Description**

Published to the GitHub Advisory Database

May 27, 2024

Last updated

May 27, 2024

GHSA-468j-6jrc-2rjx: silverstripe/framework vulnerable to Cross-site Scripting In `OptionsetField` and `CheckboxSetField`

The core template `framework/templates/Includes/GridField_print.ss` uses "Printed by $Member.Name".

If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-r9vp-fp72-xgf7

**silverstripe/framework's \`Member.Name\` is not escaped**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

**Package**

composer silverstripe/framework (Composer)

**Affected versions**

\>= 3.1.9-rc1, < 3.1.20

\>= 3.2.4-rc1, < 3.2.5

\>= 3.3.2-rc1, < 3.3.3

\>= 3.4.0-rc1, < 3.4.1

**Patched versions**

3.1.20

3.2.5

3.3.3

3.4.1

**Description**

Published to the GitHub Advisory Database

May 27, 2024

Last updated

May 27, 2024

GHSA-r9vp-fp72-xgf7: silverstripe/framework's `Member.Name` is not escaped

The silverstripe/comments module, the cwp/starter-theme and the cwp/watea-theme include an outdated version of jQuery by default, which contains XSS vulnerabilities if user input is used in certain contexts. Though no known exploit has been found for these in the existing usage, user customisation to these themes could have made them exploitable.

CWP 2.0.0 has been released with the fixed cwp/stater-theme and silverstripe/comments module, and SilverStripe 4.2.0 will be released with the fixed silverstripe-themes/simple theme.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-frm9-7pm9-5rgc

**SilverStripe comments module includes version of jQuery vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

**Package**

composer silverstripe/comments (Composer)

**Affected versions**

\>= 1.3.0, < 3.1.1

**Description**

Published to the GitHub Advisory Database

May 27, 2024

Last updated

May 27, 2024

Tag

#xss