There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| silverstripe/cms(Packagist) | 0 | 3.4.4 | N/A |
| silverstripe/cms(Packagist) | 3.5.0 | 3.5.2 | N/A |
CVSS Metrics
