CVE-2017-14498 – silverstripe/cms

Package

Manager: composer
Name: silverstripe/cms
Vulnerable Version: >=0 <3.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00375 pctl0.58356

Details

Silverstripe CMS XSS Vulnerability SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017.

Metadata

Created: 2022-05-17T00:29:00Z
Modified: 2023-07-27T00:42:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j696-6m57-mcrv/GHSA-j696-6m57-mcrv.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-j696-6m57-mcrv
Finding: F425
Auto approve: 1