Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Silverstripe CMS security patches January 2025

 

Silverstripe CMS security patches January 2025

UPDATE The below patches introduced an unintended regression for the dnadesign/silverstripe-elemental module.

Guy Sartorelli

by Guy Sartorelli

Posted 15 January 2025

Read post

UPDATE
The below patches introduced an unintended regression for the dnadesign/silverstripe-elemental module. The regression has been fixed - if you use that module please update to version 5.3.6

We've released three security patches for Silverstripe CMS to address security vulnerabilities. These vulnerabilities were reported to us following the documented process for reporting security issues, and we are not aware of any attempt to exploit them before the official disclosure today.

Two of these vulnerabilities have a 'medium' severity rating, and one has a severity rating of 'none'. All of these vulnerabilities are present in both the 4.x and 5.x release lines of Silverstripe CMS, but are only patched in the 5.x release lines of Silverstripe CMS as per our major release policy.

See the release process documentation for more information about severity ratings.

CVE-2024-47605 - XSS via insert media remote file oembed

Inside the WYSIWYG for Silverstripe CMS, there's often an 'insert media' option which allows you to embed content from external websites (such as YouTube videos) onto your site.

The oEmbed format allows for HTML to be provided which will be used as the embedded content. That HTML wasn't sanitised before being embedded, allowing a XSS payload to be executed on both the CMS and the front-end of the website.

The patch sandboxes any potentially dangerous embeds inside an iframe. This allows any scripts to still execute (as this may be necessary for the embed to work as expected) while limiting the context of the script to only have access to the iframe so it can't affect your site directly.

You can explicitly declare domains which should be excluded from sandboxing if you find it's interfering with embeds from specific domains. For example, if a YouTube embed was not rendering correctly as a result of the sandboxing you could use this YAML configuration:

SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
  domains_excluded_from_sandboxing:
    - 'youtube.com'

Do not include the protocol (i.e. don't include 'https://' or 'http://').
Developers can also change the attributes of the iframe itself with this YAML configuration:

SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
  sandboxed_iframe_attributes:
    allow: 'fullscreen'

Upgrade the silverstripe/framework module to 5.3.8 to remedy this vulnerability.

Read the CVE-2024-47605 security advisory for the technical details of this vulnerability.

CVE-2024-53277 - XSS in form messages

Forms can contain messages to provide feedback to the user. This is leveraged in the CMS for example, when saving, deleting, publishing and performing other actions in some admin sections.

In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message so that it contains all of the context and formatting required to concisely and effectively inform the user about what's happening.

Some form messages include content that the user can provide and there are some scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability.

Upgrade the silverstripe/framework module to 5.3.8 to remedy this vulnerability.

Read the CVE-2024-53277 security advisory for the technical details of this vulnerability.

SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message

This vulnerability only affects sites which are in the 'dev' environment mode. If your production website is in 'dev' mode, it has been misconfigured, and you should immediately swap it to 'live' mode. See the developer documentation for more information about environment modes.

If a website has been set to the 'dev' environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.

In the 'test' and 'live' environment modes, the error is handled differently, so the XSS attack isn't possible in those modes.

Upgrade the silverstripe/framework module to 5.3.8 to remedy this vulnerability.

Read the SS-2024-002 security advisory for the technical details of this vulnerability.

Security patch release windows

The minor release policy includes quarterly release windows for security patches like this one.
Read the minor release policy for more information about security patch release windows.

Make a comment

About the author
Guy Sartorelli

Guy is a Senior Product Developer on the CMS Squad.

Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments