SS-2013-009: XSS in CMS "Pages" section

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2013-009
Versions Affected:: 3.0,3.1
Versions Fixed:: 3.0.7,3.1.0-rc3
Release Date:: 2013-09-24

The "Insert Link" dropdown and "Dependent Pages" list in the "Pages" CMS section are vulnerable to persistent cross-site scripting, through the SiteTree.Title attribute. This form of attack requires a CMS login by a malicious third party, and can lead to executing authenticated requests on behalf of the CMS user victim.