GHSA-97jm-g33h-f46g: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-97jm-g33h-f46g) affects the SilverStripe framework and involves ReadOnly transformation for formfields being exploitable. The issue was discovered in 2016 and affects multiple versions of the framework including 3.1.x (< 3.1.21), 3.2.x (< 3.2.6), 3.3.x (< 3.3.4), and 3.4.x (< 3.4.2). The vulnerability was patched in versions 3.1.21, 3.2.6, 3.3.4, and 3.4.2 (GitHub Advisory).

The vulnerability is classified as a Moderate severity issue with a CVSS score of 6.1. Form fields returning isReadonly() as true are vulnerable to reflected XSS injections, affecting components including ReadonlyField, LookupField, HTMLReadonlyField, and special purpose fields like TimeField_Readonly. The vulnerability exists because values submitted through these form fields are not properly filtered out from the form session data. SilverStripe forms automatically load values from request data (GET and POST), enabling potential malicious use of URLs when forms use these fields and don't overwrite data on form construction (Silverstripe Security).

The vulnerability can lead to reflected XSS injections through readonly form fields. When form validation errors occur, the form re-renders with previously submitted values by default, potentially displaying malicious content. While readonly and disabled form fields are filtered out in Form->saveInto(), making database persistence unlikely, the vulnerability could still expose users to XSS attacks through form display (GitHub Advisory).

The vulnerability has been patched in versions 3.1.21, 3.2.6, 3.3.4, and 3.4.2. Users should upgrade to these or newer versions to protect against this vulnerability. The fix prevents readonly fields from loading submitted data, as implemented in the framework update (Framework Commit).