CVE-2012-4968

SilverStripe <2.3.13 & <2.4.7 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) LimitWordCount, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NoHTML, (15) Summary, (16) Upper, (17) UpperCase, or (18) URL method in a template, different vectors than CVE-2012-0976.

References (5)

[Various Sources] http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.13

[Vendor Advisory] http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.7

[Exploit, Patch] https://github.com/silverstripe/sapphire/commit/0085876

[Mailing List] http://www.openwall.com/lists/oss-security/2012/04/30/1

[Mailing List] http://www.openwall.com/lists/oss-security/2012/04/30/3

Scores

EPSS 0.0029

EPSS Percentile 52.5%

Classification

CWE

CWE-79

Status published

Affected Products (21)

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

silverstripe/silverstripe

... and 6 more

Timeline

Published Sep 17, 2012

Tracked Since Feb 18, 2026