CVE-2011-4962 — Silverstripe CMS Arbitrary Code Execution

Description

`code/sitefeatures/PageCommentInterface.php` in SilverStripe 2.4.x before 2.4.6 might allow remote attackers to execute arbitrary code via a crafted cookie in a user comment submission, which is not properly handled when it is deserialized.

How to fix CVE-2011-4962

To remediate CVE-2011-4962, upgrade the affected package to a fixed version below.

Packagist/silverstripe/cms—upgrade to 2.4.6 or later

Is CVE-2011-4962 being exploited?

Low — EPSS is 3.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.4.0, < 2.4.6

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4962
PATCHgithub.com/silverstripe/silverstripe-cms
WEBgithub.com/silverstripe/silverstripe-cms/commit/d15e8509b01ff2dbbe3028a055021a29b1065b22
WEBweb.archive.org/web/20120621234353/http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6