GHSA-wqm8-jx8r-8rcq – silverstripe/admin

Package

Manager: composer
Name: silverstripe/admin
Vulnerable Version: >=0 <1.12.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Cross-site scripting vulnerabilities in old version of bundled TinyMCE An old version of TinyMCE include an XSS vulnerability, which was patched in a later version. This was described by TinyMCE: > A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower. We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS. Reported by: Developers at ACC

Metadata

Created: 2023-04-26T15:54:44Z
Modified: 2023-04-26T15:54:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-wqm8-jx8r-8rcq/GHSA-wqm8-jx8r-8rcq.json
CWE IDs: []
Alternative ID: N/A
Finding: F008
Auto approve: 1