6.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-pp7q-6j3f-74vj

EPSS Score

CWE

CWE-79

Published

5/27/2024

Updated

5/27/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pp7q-6j3f-74vj

GHSA-pp7q-6j3f-74vj: silverstripe/framework has Cross-site Scripting vulnerability in RedirectorPage

RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-pp7q-6j3f-74vj

EPSS Score

CWE

CWE-79

Published

5/27/2024

Updated

5/27/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/framework	composer	>= 3.4.0-rc1, < 3.4.6	3.4.6
silverstripe/framework	composer	>= 3.5.0-rc1, < 3.5.4	3.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unvalidated user input in the redirect URL field. The RedirectorPage_Controller::index method triggers the redirect using the unvalidated URL, and RedirectorPage::getRedirectionURL provides the raw input. Both functions lack protocol validation (e.g., blocking javascript: URLs), enabling XSS when the redirect is executed. This matches the CWE-79 description and the advisory's focus on missing validation in the redirector logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R**ir**torP*** will *llow us*rs to sp**i*y * non-url m*li*ious s*ript *s t** r**ir**tion p*t* wit*out v*li**tion. Us*rs w*i** *ollow t*is url m*y *llow t*is s*ript to *x**ut* wit*in t**ir *rows*r.

Reasoning

T** vuln*r**ility st*ms *rom unv*li**t** us*r input in t** r**ir**t URL *i*l*. T** `R**ir**torP***_*ontroll*r::in**x` m*t*o* tri***rs t** r**ir**t usin* t** unv*li**t** URL, *n* `R**ir**torP***::**tR**ir**tionURL` provi**s t** r*w input. *ot* *un*tio

6.1

Basic Information

Concerned about an active attack path?

GHSA-pp7q-6j3f-74vj: silverstripe/framework has Cross-site Scripting vulnerability in RedirectorPage

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI