Miggo Logo

CVE-2021-36150: Cross-site Scripting in SilverStripe Framework

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.64861%
Published
10/12/2021
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/admincomposer>= 1.0.0, < 1.8.11.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves XSS through the 'Insert from files' feature. FileFormFactory handles file insertion logic, and improper escaping of user-provided link text would directly explain the reflective XSS. The patch in 1.8.1 would have added HTML escaping here. While exact commit details are unavailable, the described attack vector strongly implicates link text handling in the file insertion form.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rStrip* *r*m*work t*rou** *.*.* *llows XSS.

Reasoning

T** vuln*r**ility involv*s XSS t*rou** t** 'Ins*rt *rom *il*s' ***tur*. `*il**orm***tory` **n*l*s *il* ins*rtion lo*i*, *n* improp*r *s**pin* o* us*r-provi*** link t*xt woul* *ir**tly *xpl*in t** r**l**tiv* XSS. T** p*t** in *.*.* woul* **v* ***** *T