CVE-2019-19325
Reflected XSS in SilverStripe
6.1
MEDIUM
CVSS 3.1
EPSS 0.36%
Description
SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.
How to fix CVE-2019-19325
To remediate CVE-2019-19325, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.2 or later
Is CVE-2019-19325 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.5.0, < 4.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (4)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-19325
- WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-19325.yaml
- WEBgithub.com/silverstripe/silverstripe-framework/commit/49fda52b12ba59f0a04bcabf78425586a8779e89
- WEBwww.silverstripe.org/download/security-releases/cve-2019-19325