GHSA-xc69-p8fc-m6m5: 
PHP vulnerability analysis and mitigation

A low-level potential SQL injection vulnerability was identified in the silverstripe/subsites module, affecting versions 2.0.0 to 2.1.1. The vulnerability was discovered and fixed in July 2018, with the patch being released in version 2.1.1. This security issue was tracked as SS-2018-016 and GHSA-xc69-p8fc-m6m5 (Silverstripe Advisory, GitHub Advisory).

The vulnerability was related to unsafe SQL query construction, specifically in the handling of group table names. The issue was fixed by implementing proper escaping of the group table name using Convert::raw2sql() to prevent SQL injection possibilities (GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

According to the CVSS metrics, the vulnerability could potentially lead to high impacts on confidentiality, integrity, and availability of the affected systems. The attack vector is network-based with low attack complexity, requiring low privileges and no user interaction (GitHub Advisory).

The vulnerability has been patched in version 2.1.1 of the silverstripe/subsites module. Users are advised to upgrade to this version or later to address the security issue (Silverstripe Advisory).