CVE-2019-19325: 
PHP vulnerability analysis and mitigation

SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 contains a Reflected Cross-Site Scripting (XSS) vulnerability that affects the login form and custom forms. The vulnerability allows malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which enables XSS attacks on forms built with user input (Request data) (Silverstripe Advisory).

The vulnerability exists due to insufficient validation of non-scalar FormField attributes in forms. It affects the login form provided by Silverstripe, forms configured to populate field values based on request parameters, and forms with form validation applied through RequiredFields that opt-out of CSRF tokens. The vulnerability is more impactful when forms are configured to accept GET submissions rather than the default POST submissions. The base CVSS score is 7.5, indicating high severity (NVD).

This vulnerability can lead to phishing attempts to obtain user credentials or other sensitive user input. While there is no known attack vector for automatically extracting user-session information or credentials, attackers can use XSS to modify content presentation maliciously and conduct phishing attacks. When the login form is used with Multi-Factor Authentication (MFA), the attack complexity for phishing increases (Silverstripe Advisory).

The vulnerability has been fixed in silverstripe/framework versions 4.4.5 and 4.5.2. Users should upgrade to these or later versions. For systems using Multi-Factor Authentication, using security keys such as Yubikey as an unphishable token provides additional mitigation (Silverstripe Advisory).