SS-2016-013: Member.Name isn't escaped

August 15, 2016

The core template framework/templates/Includes/GridField_print.ss uses “Printed by $Member.Name”. If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

References

www.silverstripe.org/download/security-releases/ss-2016-013/

Code Behaviors & Features

Detect and mitigate SS-2016-013 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →