GHSA-97JM-G33H-F46G

GHSA-97JM-G33H-F46G is a medium-severity cross-site scripting (XSS) vulnerability in silverstripe/framework (composer), affecting versions < 3.1.21. It is fixed in 3.1.21, 3.2.6, 3.3.4, 3.4.2.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

silverstripe/framework ReadOnly transformation for formfields exploitable

Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.

SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn't overwrite data on form construction.

Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic.

Impact

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

GHSA-97JM-G33H-F46G has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.21, 3.2.6, 3.3.4, 3.4.2); upgrading removes the vulnerable code path.

Affected versions

silverstripe/framework (< 3.1.21) silverstripe/framework (>= 3.2.0, < 3.2.6) silverstripe/framework (>= 3.3.0, < 3.3.4) silverstripe/framework (>= 3.4.0, < 3.4.2)

Security releases

silverstripe/framework → 3.1.21 (composer) silverstripe/framework → 3.2.6 (composer) silverstripe/framework → 3.3.4 (composer) silverstripe/framework → 3.4.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

silverstripe/framework to 3.1.21 or later; silverstripe/framework to 3.2.6 or later; silverstripe/framework to 3.3.4 or later; silverstripe/framework to 3.4.2 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-97JM-G33H-F46G? GHSA-97JM-G33H-F46G is a medium-severity cross-site scripting (XSS) vulnerability in silverstripe/framework (composer), affecting versions < 3.1.21. It is fixed in 3.1.21, 3.2.6, 3.3.4, 3.4.2. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is GHSA-97JM-G33H-F46G? GHSA-97JM-G33H-F46G has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of silverstripe/framework are affected by GHSA-97JM-G33H-F46G? silverstripe/framework (composer) versions < 3.1.21 is affected.
  4. Is there a fix for GHSA-97JM-G33H-F46G? Yes. GHSA-97JM-G33H-F46G is fixed in 3.1.21, 3.2.6, 3.3.4, 3.4.2. Upgrade to this version or later.
  5. Is GHSA-97JM-G33H-F46G exploitable, and should I be worried? Whether GHSA-97JM-G33H-F46G is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-97JM-G33H-F46G is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-97JM-G33H-F46G?
    • Upgrade silverstripe/framework to 3.1.21 or later
    • Upgrade silverstripe/framework to 3.2.6 or later
    • Upgrade silverstripe/framework to 3.3.4 or later
    • Upgrade silverstripe/framework to 3.4.2 or later

Other vulnerabilities in silverstripe/framework

Stop the waste.
Protect your environment with Kodem.