6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2015-8606

GHSA ID

GHSA-gvc8-xjfp-6569

EPSS Score

0.64136%

CWE

CWE-79

Published

5/13/2022

Updated

12/7/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-8606

CVE-2015-8606:
Silverstripe CMS XSS Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.0 before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2015-8606

GHSA ID

GHSA-gvc8-xjfp-6569

EPSS Score

0.64136%

CWE

CWE-79

Published

5/13/2022

Updated

12/7/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/cms	composer	<= 3.1.15	3.1.16
silverstripe/cms	composer	= 3.2.0	3.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper neutralization of user-controlled parameters (Locale/DropdownField and FailedLoginCount/NumericField) in form validation messages. SilverStripe's security advisory explicitly cites these FormField subclasses as vulnerable points where validation responses containing user input were rendered without proper encoding. The XSS triggers when invalid input is reflected in error messages, making the validate() methods of these classes the logical vulnerable functions responsible for handling and displaying unsanitized user input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in Silv*rStrip* *MS & *r*m*work ***or* *.*.** *n* *.*.* ***or* *.*.* *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** (*) Lo**l* or (*) **il**Lo*in*ount p*r*m*t*r to `**min/s**u

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* us*r-*ontroll** p*r*m*t*rs (Lo**l*/*rop*own*i*l* *n* **il**Lo*in*ount/Num*ri**i*l*) in *orm v*li**tion m*ss***s. Silv*rStrip*'s s**urity **visory *xpli*itly *it*s t**s* *orm*i*l* su**l*ss*s *s v

6.1

Basic Information

Concerned about an active attack path?

CVE-2015-8606: Silverstripe CMS XSS Vulnerability

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2015-8606:
Silverstripe CMS XSS Vulnerability

Vulnerability Intelligence
Miggo AI