CVE-2021-27938 XSS in CreateQueuedJobTask

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: CVE-2021-27938
Versions Affected:: symbiote/silverstripe-queuedjobs: ^3.0.0, ^4.0.0
Versions Fixed:: symbiote/silverstripe-queuedjobs: 3.0.2, 3.1.4, 4.0.7, 4.1.2, 4.2.4, 4.3.3, 4.4.3, 4.5.1, 4.6.4
Release Date:: 2021-03-15

A high severity security vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module, which is a popular optional module used to manage dev tasks in the CMS UI for the Silverstripe CMS. A Cross Site Scripting vulnerability allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL.

The corresponding releases contains a fix. We recommend reviewing the impact it may have on your site(s) and upgrading as soon as possible.

Base CVSS: 7.1

CWP CVSS: 7.1

Reporters: Michael Tsai from ZX Security