SS-2016-001: XSS in CMSController BackURL

May 11, 2016

A XSS risk exists in the returnURL parameter passed to CMSSecurity/success. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site.

References

www.silverstripe.org/download/security-releases/ss-2016-001
github.com/silverstripe/silverstripe-framework/commit/1ccd3926e3dcecaa5c1b4f26a390d9eacc24a893

Code Behaviors & Features

Detect and mitigate SS-2016-001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →