CVE-2019-12205 Flash Clipboard Reflected XSS

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2019-12205
Versions Affected:: ^3.0, ^4.0
Versions Fixed:: 4.3.5, 4.4.4
Release Date:: 2019-09-24

Third party library code included in silverstripe/framework (3.x) and silverstripe/admin (4.x) packaged their own documentation, which in turn included a vulnerable SWF file. This file was accessible on SilverStripe websites by default. Older browsers executed SWF directly, and in certain circumstances can expose the document object and associated data (e.g. cookies). Modern browsers often don't bundle or active the Flash plugin by default, or don't allow direct execution of SWF files without them being embedded, which mostly mitigates this vulnerability.

CVSS Score: 6.8

Thanks to Jay Richardson for reporting.