CVE-2024-47605 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=0 <5.3.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0159 pctl0.80943

Details

Silverstripe Framework has a XSS via insert media remote file oembed ### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)

Metadata

Created: 2025-01-14T22:18:52Z
Modified: 2025-01-23T17:11:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-7cmp-cgg8-4c82/GHSA-7cmp-cgg8-4c82.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-7cmp-cgg8-4c82
Finding: F425
Auto approve: 1