CVE-2024-47605
MEDIUM5.4EPSS 5.4%Silverstripe Framework has a XSS via insert media remote file oembed
發布日:2025/1/14修改日:2025/1/23
描述
### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)
受影響套件(1)
- Packagist/silverstripe/frameworkfrom 0, < 5.3.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-47605
- PATCHhttps://github.com/silverstripe/silverstripe-framework
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-47605.yaml
- WEBhttps://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82
- WEBhttps://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a
- WEBhttps://www.silverstripe.org/download/security-releases/cve-2024-47605