6.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-5f5v-5c3v-gw5v

EPSS Score

CWE

CWE-79

Published

5/23/2024

Updated

5/23/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5f5v-5c3v-gw5v

GHSA-5f5v-5c3v-gw5v: Silverstripe IE requests not properly behaving with rewritehashlinks

Non IE browsers don’t appear to be affected, but I haven’t tested a wide range of browsers to be sure

Requests that come through from IE do NOT appear to encode all entities in the URL string, meaning they are inserted into output content directly by SSViewer::process() when rewriting hashlinks, as it directly outputs $_SERVER[‘REQUEST_URI’]

Example IE8 request 127.0.0.1 - - [18/Jun/2014:14:13:42 +1000] “GET /site/cars/brands/toyota?one=1\”onmouseover=\”alert(‘things’);\” HTTP/1.1” 200

Example FF request 127.0.0.1 - - [18/Jun/2014:14:14:22 +1000] “GET /site/cars/brands/toyota?one=1%22onmouseover=%22alert(%27things%27);%22 HTTP/1.1” 200

This causes any hash anchor to have the JS code inserted into the page as-is.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-5f5v-5c3v-gw5v

EPSS Score

CWE

CWE-79

Published

5/23/2024

Updated

5/23/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/framework	composer	<= 3.0.12	3.0.13
silverstripe/framework	composer	>= 3.1.0, <= 3.1.11	3.1.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using strip_tags() instead of proper encoding when handling $_SERVER['REQUEST_URI'] in URL rewriting logic. The patch replaces strip_tags() with Convert::raw2att() in both SSViewer::process() and SSTemplateParser's template processing functions. These locations directly output user-controlled URL data without adequate HTML entity encoding, making them the root cause of reflected XSS when Internet Explorer sends unencoded payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Non I* *rows*rs *on’t *pp**r to ** *****t**, *ut I **v*n’t t*st** * wi** r*n** o* *rows*rs to ** sur* R*qu*sts t**t *om* t*rou** *rom I* *o NOT *pp**r to *n*o** *ll *ntiti*s in t** URL strin*, m**nin* t**y *r* ins*rt** into output *ont*nt *ir**tly

Reasoning

T** vuln*r**ility st*ms *rom usin* strip_t**s() inst*** o* prop*r *n*o*in* w**n **n*lin* $_S*RV*R['R*QU*ST_URI'] in URL r*writin* lo*i*. T** p*t** r*pl***s strip_t**s() wit* *onv*rt::r*w**tt() in *ot* SSVi*w*r::pro**ss() *n* SST*mpl*t*P*rs*r's t*mpl*

6.1

Basic Information

Concerned about an active attack path?

GHSA-5f5v-5c3v-gw5v: Silverstripe IE requests not properly behaving with rewritehashlinks

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI