CVE-2015-8606: XSS in SilverStripe CMS & Framework

Reflected Cross-Site Scripting in SilverStripe CMS & Framework

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework before 3.1.16 and 3.2.x before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Locale or (2) FailedLoginCount parameter to admin/security/EditForm/field/Members/item/new/ItemEditForm.

CVE IDCVE-2015-8606

CVSS v3.16.1 Medium

VendorSilverStripe

CWECWE-79

DisclosedNov 5, 2015

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed when the user tries to modify the value of the following mentioned variable in SilverStripe CMS & Framework v3.2.0 on 2 Places, whereas listed below along with screenshots for better understanding.

1. Locale

2. FailedLoginCount

Vendor: SilverStripe
Affected Product: SilverStripe
CVE: CVE-2015-8606
Securin ID: 2015-CSW-09-1009
Status: Fixed
Date: November 5, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Issue 1: The POST Request of the variable Locale in the new member form is vulnerable to XSS.

PoC · Exploitation Steps▲ trigger

01Figure 1: XSS payload was injected in the Locale variable.02Figure 2: Injected payload was executed in the browser03Issue 2: The POST Request of the variable FailedLoginCount in the new member form is vulnerable to XSS04Figure 3: XSS payload is injected in the Locale variable.05Figure 4: Injected payload was executed in the browser

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

User’s session cookie & end-user files disclosure.

Medium

Hijack the user’s session & take over the account.

High

Installation of Trojan horse programs.

High

Redirection of the user to some other page or site.

Medium

Modification to the presentation of content

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the patch release advised as per the vendor.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-8606, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Nov 05, 2015

Vulnerability Disclosure in SilverStripe CMS & Framework and Reported

Nov 11, 2015

Vendor Response

Nov 16, 2015

Vendor Released Fix

Dec 12, 2015

Public disclosed

Dec 17, 2015

CVE Assigned

Disclosed 11 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-8606

nvd.nist.gov/vuln/detail/CVE-2015-8606 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in SilverStripe CMS & Framework

CVE IDCVE-2015-8606

CVSS v3.16.1 Medium

VendorSilverStripe

CWECWE-79

DisclosedNov 5, 2015

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

1. Locale

2. FailedLoginCount

Vendor: SilverStripe
Affected Product: SilverStripe
CVE: CVE-2015-8606
Securin ID: 2015-CSW-09-1009
Status: Fixed
Date: November 5, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Issue 1: The POST Request of the variable Locale in the new member form is vulnerable to XSS.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

User’s session cookie & end-user files disclosure.

Medium

Hijack the user’s session & take over the account.

High

Installation of Trojan horse programs.

High

Redirection of the user to some other page or site.

Medium

Modification to the presentation of content

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the patch release advised as per the vendor.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-8606, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Nov 05, 2015

Vulnerability Disclosure in SilverStripe CMS & Framework and Reported

Nov 11, 2015

Vendor Response

Nov 16, 2015

Vendor Released Fix

Dec 12, 2015

Public disclosed

Dec 17, 2015

CVE Assigned

Disclosed 11 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-8606

nvd.nist.gov/vuln/detail/CVE-2015-8606 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in SilverStripe CMS & Framework

What this actually is.

From one request
to root shell.

What an attacker does to you.

User’s session cookie & end-user files disclosure.

Hijack the user’s session & take over the account.

Installation of Trojan horse programs.

Redirection of the user to some other page or site.

Modification to the presentation of content

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Disclosure in SilverStripe CMS & Framework and Reported

Vendor Response

Vendor Released Fix

Public disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8606

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in SilverStripe CMS & Framework

What this actually is.

From one request
to root shell.

What an attacker does to you.

User’s session cookie & end-user files disclosure.

Hijack the user’s session & take over the account.

Installation of Trojan horse programs.

Redirection of the user to some other page or site.

Modification to the presentation of content

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Disclosure in SilverStripe CMS & Framework and Reported

Vendor Response

Vendor Released Fix

Public disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8606

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in SilverStripe CMS & Framework

What this actually is.

From one requestto root shell.

What an attacker does to you.

User’s session cookie & end-user files disclosure.

Hijack the user’s session & take over the account.

Installation of Trojan horse programs.

Redirection of the user to some other page or site.

Modification to the presentation of content

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Disclosure in SilverStripe CMS & Framework and Reported

Vendor Response

Vendor Released Fix

Public disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8606

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in SilverStripe CMS & Framework

What this actually is.

From one requestto root shell.

What an attacker does to you.

User’s session cookie & end-user files disclosure.

Hijack the user’s session & take over the account.

Installation of Trojan horse programs.

Redirection of the user to some other page or site.

Modification to the presentation of content

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Disclosure in SilverStripe CMS & Framework and Reported

Vendor Response

Vendor Released Fix

Public disclosed

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2015-8606

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.