XSS in CreateQueuedJobTask

Description

A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2021-03-24 17:42:02 UTC
Updated
2023-02-01 05:05:20 UTC
GitHub reviewed
2021-03-24 17:41:15 UTC
NVD published
2021-03-16

EPSS Score

Score Percentile
0.24% 47.18%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (9)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer symbiote/silverstripe-queuedjobs >= 3.0.0, < 3.0.2 3.0.2
composer symbiote/silverstripe-queuedjobs >= 3.1.0, < 3.1.4 3.1.4
composer symbiote/silverstripe-queuedjobs >= 4.0.0, < 4.0.7 4.0.7
composer symbiote/silverstripe-queuedjobs >= 4.1.0, < 4.1.2 4.1.2
composer symbiote/silverstripe-queuedjobs >= 4.2.0, < 4.2.4 4.2.4
composer symbiote/silverstripe-queuedjobs >= 4.3.0, < 4.3.3 4.3.3
composer symbiote/silverstripe-queuedjobs >= 4.4.0, < 4.4.3 4.4.3
composer symbiote/silverstripe-queuedjobs >= 4.5.0, < 4.5.1 4.5.1
composer symbiote/silverstripe-queuedjobs >= 4.6.0, < 4.6.4 4.6.4

References

cvelogic Threat Intelligence