SS-2023-002 Cross-site scripting (XSS) vulnerabilities inherited form TinyMCE
- Severity:
- Medium (?)
- Identifier:
- SS-2023-002
- Versions Affected:
- silverstripe/admin: ^1.0.0
- Versions Fixed:
- silverstripe/admin: ^1.13.6
- Release Date:
- 2023-07-31
TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.
Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.
Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.
These vulnerabilities were described by TinyMCE:
A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.
A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower.
Base CVSS: 5.4
Reported by: Guy Sartorelli from Silverstripe
