Vulnerability Details : CVE-2023-28851
Silverstripe Form Capture provides a method to capture simple silverstripe forms and an admin interface for users. Starting in version 0.2.0 and prior to versions 1.0.2, 1.1.0, 2.2.5, and 3.1.1, improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack. The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1. There are no known workarounds for this vulnerability.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-28851
- Bigfork » Silverstripe Form CaptureVersions from including (>=) 0.2.0 and up to, including, (<=) 0.2.3cpe:2.3:a:bigfork:silverstripe_form_capture:*:*:*:*:*:*:*:*
- cpe:2.3:a:bigfork:silverstripe_form_capture:*:*:*:*:*:*:*:*
- cpe:2.3:a:bigfork:silverstripe_form_capture:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:bigfork:silverstripe_form_capture:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:bigfork:silverstripe_form_capture:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:bigfork:silverstripe_form_capture:3.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28851
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 24 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28851
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2023-28851
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-28851
-
https://github.com/bigfork/silverstripe-form-capture/commit/5b3aa39dd1eef042f173167b0fa4d3f717971772
Fix improper escaping of details fields in GridField view · bigfork/silverstripe-form-capture@5b3aa39 · GitHubPatch
-
https://github.com/bigfork/silverstripe-form-capture/security/advisories/GHSA-38h6-gmr2-j4wx
Improper Handling of User Input - Cross-Site Scripting (Stored) · Advisory · bigfork/silverstripe-form-capture · GitHubVendor Advisory
Jump to