CVE-2019-19325 - OpenCVE

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Silverstripe	Silverstripe

Configuration 1 [-]

OR	cpe:2.3:a:silverstripe:silverstripe::::::::
	cpe:2.3:a:silverstripe:silverstripe::::::::

References

Link	Resource
https://www.silverstripe.org/download/security-releases/cve-2019-19325	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-17T19:59:29

Updated: 2020-02-17T19:59:29

Reserved: 2019-11-27T00:00:00

Link: CVE-2019-19325

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-17T20:15:11.007

Modified: 2020-02-20T20:52:43.137

Link: CVE-2019-19325

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-17T19:59:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.silverstripe.org/download/security-releases/cve-2019-19325"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19325", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.silverstripe.org/download/security-releases/cve-2019-19325", "refsource": "CONFIRM", "url": "https://www.silverstripe.org/download/security-releases/cve-2019-19325"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19325", "datePublished": "2020-02-17T19:59:29", "dateReserved": "2019-11-27T00:00:00", "dateUpdated": "2020-02-17T19:59:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CE3FBA8-9BFD-495A-9F88-D2D1BA0AFC53", "versionEndExcluding": "4.4.5", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B50E745-EC7B-43FE-B5B3-63DB1FBAC77B", "versionEndExcluding": "4.5.2", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input."}, {"lang": "es", "value": "SilverStripe versiones hasta 4.4.x anteriores a 4.4.5 y versiones 4.5.x anteriores a 4.5.2, permite un ataque de tipo XSS Reflejado en el formulario de inicio de sesi\u00f3n y formularios personalizados. Silverstripe Forms permite insertar HTML o JavaScript malicioso por medio de atributos FormField no escalares, lo que permite llevar a cabo un ataque de tipo XSS (Cross-Site Scripting) en algunos formularios creados con la entrada del usuario (Request data). Esto puede conllevar a intentos de phishing para obtener las credenciales de un usuario u otra entrada confidencial del usuario."}], "id": "CVE-2019-19325", "lastModified": "2020-02-20T20:52:43.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-17T20:15:11.007", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.silverstripe.org/download/security-releases/cve-2019-19325"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}