CVE-2019-12205 Flash Clipboard Reflected XSS
- Moderate (?)
- Versions Affected:
- ^3.0, ^4.0
- Versions Fixed:
- 4.3.6, 4.4.4
- Release Date:
Third party library code included in silverstripe/framework (3.x) and silverstripe/admin (4.x) packaged their own documentation, which in turn included a vulnerable SWF file. This file was accessible on SilverStripe websites by default. Older browsers executed SWF directly, and in certain circumstances can expose the document object and associated data (e.g. cookies). Modern browsers often don't bundle or active the Flash plugin by default, or don't allow direct execution of SWF files without them being embedded, which mostly mitigates this vulnerability.
Thanks to Jay Richardson for reporting.