We have released three security patches for Silverstripe CMS to address security vulnerabilities. These vulnerabilities were reported to us following the documented process for reporting security issues, and we are not aware of any attempt to exploit them before the official disclosure today.
All of these vulnerabilities have a “medium” severity rating. These vulnerabilities are all present in both the 4.x and 5.x release lines of Silverstripe CMS, but are only patched in the 5.x release lines of Silverstripe CMS as per our major release policy.
See the release process documentation for more information about severity ratings.
CVE-2024-29885 - Reports are still accessible even when canView is set to false
The Report class has a canView() method. If that method is configured to return false the current user should not be able to view the report. While the report list will omit any canView false reports, those reports can still access them directly via the URL for that report, assuming the user has the CMS_ACCESS_ReportAdmin permission. After patching, the canView() permissions will be properly respected.
What does this mean for me?
You will only be affected by this vulnerability if:
- your project has any reports that implement a
canView()method to restrict access.
Upgrade the silverstripe/reports module to 5.2.3 to remedy this vulnerability.
Read the CVE-2024-29885 security advisory for the technical details of this vulnerability.
CVE-2024-32981 - XSS Vulnerability with text/html base64-encoded payload
A specially crafted XSS payload could be inserted into a field in the CMS when logged in as a CMS user with regular permissions. This XSS could be executed either in the CMS or on the front-end of the website.
What does this mean for me?
Upgrade the silverstripe/framework module to 5.2.16 to remedy this vulnerability.
Read the CVE-2024-32981 security advisory for the technical details of this vulnerability.
SS-2024-001 - TinyMCE allows svg files linked in object tags
TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows SVG files containing JavaScript to be saved which can be used as a vector for XSS attacks.
After patching the default value of convert_unsafe_embeds will be set to true. This means that <object> tags will be converted to <iframe> tags instead the next time the page is saved, which may break any pages that rely upon previously saved object tags. Users are to override this config if desired so that <object> tags are again used instead of <iframe> tags. Note that <embed> tags are not allowed by default.
This vulnerability was described by TinyMCE as follows:
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded through an object or embed element and that image could potentially contain a XSS payload.
What does this mean for me?
You will only be affected by this vulnerability if:
- Content authors use the
<object>in TinyMCE and there is some logic that relies on an<object>tag being output
Upgrade the silverstripe/framework module to 5.2.16 to remedy this vulnerability.
Read the SS-2024-001 security advisory for the technical details of this vulnerability.
Security patch release windows
In August 2023 we adopted a minor release policy, which complements the major release policy we adopted in September 2022. The minor release policy includes release windows for security patches such as this one.
Read the minor release policy for more information about security patch release windows.
Post your comment
Comments
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments