[GHSA-hcch-w73c-jp4m] Statamic vulnerable to privilege escalation via stored cross-site scripting#7383
Conversation
|
Hi there @jasonvarga! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
Shirshaw64p/advisory-improvement-7383
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds an explicit credit entry to the advisory write-up for GHSA-hcch-w73c-jp4m.
Changes:
- Appends a “### Credits” section to the advisory
detailstext.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ], | ||
| "summary": "Statamic vulnerable to privilege escalation via stored cross-site scripting", | ||
| "details": "### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.", | ||
| "details": "### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.\n\n### Credits\nShirsendu Mondal - UNC Pembroke", |
There was a problem hiding this comment.
The PR description asks to add “Shirsendu Mondal (@Shirshaw64p)”, but the added credits line does not include the GitHub handle and instead includes an affiliation (“UNC Pembroke”). Update the credits line to match the requested attribution (or update the PR description if the intended credit text is different).
| ], | ||
| "summary": "Statamic vulnerable to privilege escalation via stored cross-site scripting", | ||
| "details": "### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.", | ||
| "details": "### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.\n\n### Credits\nShirsendu Mondal - UNC Pembroke", |
There was a problem hiding this comment.
Embedding credits only inside the free-form details markdown can make attribution harder to query/standardize across advisories. If this repository’s advisory schema supports structured attribution (for example, a dedicated credits/acknowledgements field used in other advisories), prefer adding the credit there and keep details focused on impact/patch guidance.
| "details": "### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.\n\n### Credits\nShirsendu Mondal - UNC Pembroke", | |
| "details": "### Impact\n\nStored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript that executes when a higher-privileged user impersonates their account.\n\n### Patches\n\nThis has been fixed in 6.6.2.", | |
| "credits": [ | |
| { | |
| "name": "Shirsendu Mondal", | |
| "contact": [ | |
| "UNC Pembroke" | |
| ] | |
| } | |
| ], |
|
@Shirshaw64p is already credited as the reporter. 
|
|
Closing due to |
Updates
Comments
Add name of the credit holder: Shirsendu Mondal (@Shirshaw64p) which is me.