Silverstripe Form Capture vulnerable to Stored Cross-Site Scripting
Description
Silverstripe Form Capture provides a method to capture simple silverstripe forms and an admin interface for users. Starting in version 0.2.0 and prior to versions 1.0.2, 1.1.0, 2.2.5, and 3.1.1, improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack. The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe Form Capture stored XSS via improper escaping in GridField view; patched in 1.0.2, 1.1.0, 2.2.5, 3.1.1.
Vulnerability
Summary
CVE-2023-28851 is a stored cross-site scripting (XSS) vulnerability in the Silverstripe Form Capture module, which captures form submissions and presents them through an admin interface. The root cause is improper escaping of stored form submission data when displayed in the GridField view, allowing an attacker to inject malicious scripts that execute in the context of an administrator's browser session [1][4].
Exploitation
An attacker can submit a crafted form field value containing JavaScript. When an administrator views the captured submissions in the admin interface, the payload is rendered without proper HTML encoding, triggering the XSS. No authentication is required to submit the form, making the attack surface broad; however, the malicious content is only executed when a privileged user accesses the stored submissions, meaning the attacker relies on administrator interaction [1][4].
Impact
Successful exploitation allows the attacker to perform actions within the admin session, such as stealing session cookies, modifying form configurations, or escalating privileges. Since the XSS is stored, it can affect multiple administrators who view the tainted submission, increasing the potential for lateral movement or data exfiltration [1][4].
Mitigation
The vulnerability was first patched in version 1.0.2 and also in 1.1.0. A merge error reintroduced the bug in later versions, requiring additional patches in versions 2.2.5 and 3.1.1. Administrators should upgrade to any of these patched versions immediately; no workarounds are available [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bigfork/silverstripe-form-capturePackagist | >= 3.0.0, < 3.1.1 | 3.1.1 |
andrewhaine/silverstripe-form-capturePackagist | >= 0.2.0, < 1.0.2 | 1.0.2 |
andrewhaine/silverstripe-form-capturePackagist | >= 2.0.0, < 2.2.5 | 2.2.5 |
andrewhaine/silverstripe-form-capturePackagist | >= 1.0.0, < 1.0.2 | 1.0.2 |
Affected products
4- Range: >=0.2.0, <1.0.2 || <1.1.0 || <2.2.5 || <3.1.1
- ghsa-coords2 versions
>= 0.2.0, < 1.0.2+ 1 more
- (no CPE)range: >= 0.2.0, < 1.0.2
- (no CPE)range: >= 3.0.0, < 3.1.1
- bigfork/silverstripe-form-capturev5Range: >= 0.2.0, < 1.0.2
Patches
25b3aa39dd1eeFix improper escaping of details fields in GridField view
1 file changed · +1 −1
src/Model/CapturedFormSubmission.php+1 −1 modified@@ -134,7 +134,7 @@ public function Details(): DBHTMLText continue; } - $htmlEnt = '<strong>'. $field->Title .'</strong>: '. $field->Value; + $htmlEnt = '<strong>'. $field->Title .'</strong>: '. $field->dbObject('Value')->forTemplate(); $toAdd[] = $htmlEnt; }
3a7a3c480e3fFIX: Guard against XSS in CapturedFormSubmission
1 file changed · +1 −1
code/CapturedFormSubmission.php+1 −1 modified@@ -88,7 +88,7 @@ public function Details() { if(!$field->Value) continue; - $htmlEnt = '<strong>'. $field->Title .'</strong>: '. $field->Value; + $htmlEnt = '<strong>'. $field->Title .'</strong>: '. $field->dbObject('Value')->XML(); array_push($toAdd, $htmlEnt); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-38h6-gmr2-j4wxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28851ghsaADVISORY
- github.com/bigfork/silverstripe-form-capture/commit/3a7a3c480e3fccddce9c5f359796d45a8302a622ghsaWEB
- github.com/bigfork/silverstripe-form-capture/commit/5b3aa39dd1eef042f173167b0fa4d3f717971772ghsax_refsource_MISCWEB
- github.com/bigfork/silverstripe-form-capture/security/advisories/GHSA-38h6-gmr2-j4wxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.