CVE-2024-47605
MEDIUM5.4EPSS 5.4%Silverstripe Framework has a XSS via insert media remote file oembed
Published: 1/14/2025Modified: 1/23/2025
Also known as:GHSA-7cmp-cgg8-4c82
Description
### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)
Affected packages (1)
- Packagist/silverstripe/frameworkfrom 0, < 5.3.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-47605
- PATCHhttps://github.com/silverstripe/silverstripe-framework
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-47605.yaml
- WEBhttps://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82
- WEBhttps://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a
- WEBhttps://www.silverstripe.org/download/security-releases/cve-2024-47605