CVE-2021-36150: Cross-site Scripting in SilverStripe Framework
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64861%
CWE
Published
10/12/2021
Updated
2/2/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
silverstripe/admin | composer | >= 1.0.0, < 1.8.1 | 1.8.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability involves XSS through the 'Insert from files' feature. FileFormFactory
handles file insertion logic, and improper escaping of user-provided link text would directly explain the reflective XSS. The patch in 1.8.1 would have added HTML escaping here. While exact commit details are unavailable, the described attack vector strongly implicates link text handling in the file insertion form.