Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Silverstripe CMS security patches

 

Silverstripe CMS security patches

We are releasing two security patches for Silverstripe CMS to address two security vulnerabilities.

Posted in Open Source

Maxime Rainville

by Maxime Rainville

Posted 31 July 2023

Read post

We are releasing two security patches for Silverstripe CMS to address two security vulnerabilities. These vulnerabilities were confidentially reported to us, and we are not aware of any attempt to exploit them before the official disclosure today.

  • The first vulnerability has a medium impact and only affects Silverstripe CMS 4.
  • The second vulnerability will not impact the vast majority of Silverstripe CMS projects, and affects Silverstripe CMS 4 and 5.

SS-2023-002 Cross-site scripting (XSS) vulnerability in outdated TinyMCE library

This vulnerability only impacts Silverstripe CMS 4 as it is inherited from an outdated third-party dependency in Silverstripe CMS 4. It can not be exploited at will.

An attacker would have to trick a legitimate user with CMS access to exploit this vulnerability.The damage would be limited by the user’s privileges. The vulnerability is considered to have a medium impact due to these mitigating factors.

What does this mean for me?

If you are a Silverstripe CMS 4 user, upgrade the ‘silverstripe/admin’ module to 1.13.6 or greater to remedy this vulnerability.

If you are a Silverstripe CMS 5 user, you are not affected by this vulnerability as all dependencies in CMS 5 have been upgraded to recent versions.

Read the SS-2023-002 security advisory for the technical details of this vulnerability.

CVE-2023-32302 Members with no password can be created and bypass custom login forms

Silverstripe CMS 4 and 5 allow the creation of users without passwords. However, the login form will not let a user authenticate without a password. So a passwordless user cannot use a vanilla Silverstripe CMS site.

We’ve concluded that this vulnerability will have no impact on the vast majority of Silverstripe CMS sites. However, we’ve decided to harden the member creation UI to disallow the creation of passwordless users. Upgrade ‘silverstripe/framework’ to 4.13.12 or 5.0.11 to get this updated behaviour.

What does this mean for me?

You will only be affected by this vulnerability if:

  • your project has implemented custom authentication logic that doesn’t block passwordless authentication, and
  • a passwordless user has been inadvertently created.

If those two conditions don’t apply to your project, you don’t need to take any immediate action.

If you think your project might be at risk, we recommend updating your custom authentication logic to disallow passwordless authentication. You can also run a task to identify users with no password.

Read the CVE-2023-32302 security advisory for the technical details and a sample task to identify passwordless users.

Planning your upgrade

We recommend Silverstripe CMS projects upgrade as soon as practical.

Neither of these patches are expected to carry a risk of regression.

Keen to get your upgrade underway?

Talk to your Digital Agency or Developer about upgrading

If you haven’t got a developer or agency, don’t worry! Find a Silverstripe CMS developer near you on the Silverstripe CMS Developer Network or the Silverstripe Professional Partner Directory.

Or reach out to Silverstripe directly to upgrade your project.

Make a comment

About the author
Maxime Rainville

Maxime is the CMS Squad Team Lead. The CMS Squad is the team inside Silverstripe that looks after Silverstripe CMS day-to-day.

Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments