CVE-2010-4823: XSS
First published: Mon Sep 17 2012(Updated: )
Cross-site scripting (XSS) vulnerability in the httpError method in sapphire/core/control/RequestHandler.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when custom error handling is not used, allows remote attackers to inject arbitrary web script or HTML via "missing URL actions."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SilverStripe CMS | =2.3.4 | |
| SilverStripe CMS | =2.3.7 | |
| SilverStripe CMS | =2.3.3 | |
| SilverStripe CMS | =2.3.8 | |
| SilverStripe CMS | =2.3.1 | |
| SilverStripe CMS | =2.3.5 | |
| SilverStripe CMS | =2.3.9 | |
| SilverStripe CMS | =2.3.6 | |
| SilverStripe CMS | =2.3.0 | |
| SilverStripe CMS | =2.3.2 | |
| SilverStripe CMS | =2.4.1 | |
| SilverStripe CMS | =2.4.0 | |
| SilverStripe CMS | =2.4.2 | |
| SilverStripe CMS | =2.4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2012/05/01/3
- http://www.openwall.com/lists/oss-security/2012/04/30/3
- http://open.silverstripe.org/changeset/114444
- http://www.openwall.com/lists/oss-security/2011/01/03/12
- http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4
- http://www.openwall.com/lists/oss-security/2012/04/30/1
- http://secunia.com/advisories/42346
- http://www.osvdb.org/69886
- http://www.securityfocus.com/bid/45367
- https://exchange.xforce.ibmcloud.com/vulnerabilities/63988
Frequently Asked Questions
What is the severity of CVE-2010-4823?
CVE-2010-4823 has been classified as a moderate severity vulnerability due to its XSS exploitation potential.
How do I fix CVE-2010-4823?
To fix CVE-2010-4823, upgrade SilverStripe to version 2.3.10 or 2.4.4 or later.
Which versions of SilverStripe are affected by CVE-2010-4823?
The affected versions include SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4.
What causes the vulnerability described in CVE-2010-4823?
CVE-2010-4823 is caused by improper handling of custom error handling, allowing XSS injection through missing URL actions.
Who can exploit CVE-2010-4823?
Remote attackers can exploit CVE-2010-4823 to inject arbitrary web scripts or HTML.
- agent/references
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/silverstripe
- canonical/silverstripe cms
- version/silverstripe cms/2.3.4
- version/silverstripe cms/2.3.7
- version/silverstripe cms/2.3.3
- version/silverstripe cms/2.3.8
- version/silverstripe cms/2.3.1
- version/silverstripe cms/2.3.5
- version/silverstripe cms/2.3.9
- version/silverstripe cms/2.3.6
- version/silverstripe cms/2.3.0
- version/silverstripe cms/2.3.2
- version/silverstripe cms/2.4.1
- version/silverstripe cms/2.4.0
- version/silverstripe cms/2.4.2
- version/silverstripe cms/2.4.3