CVE-2012-4968 — Silverstripe XSS Vulnerabilities

Description

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via 1. a crafted string to the `AbsoluteLinks` 1. `BigSummary` 1. `ContextSummary` 1. `EscapeXML` 1. `FirstParagraph` 1. `FirstSentence` 1. `Initial` 1. `LimitCharacters` 1. `LimitSentences` 1. `LimitWordCount` 1. `LimitWordCountXML` 1. `Lower` 1. `LowerCase` 1. `NoHTML` 1. `Summary` 1. `Upper` 1. `UpperCase`, or 1. `URL` method in a template, different vectors than CVE-2012-0976.

How to fix CVE-2012-4968

To remediate CVE-2012-4968, upgrade the affected package to a fixed version below.

—upgrade to 2.3.13 or later

Is CVE-2012-4968 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.3, < 2.3.13

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-4968
PATCHgithub.com/silverstripe/silverstripe-framework
WEBdoc.silverstripe.org/framework/en/trunk/changelogs/2.3.13
WEBdoc.silverstripe.org/framework/en/trunk/changelogs/2.4.7