Security Releases

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.

SS-2016-017: SVG Uploads

Severity:

Low (?)

Identifier:
SS-2016-017

Versions Affected:
<=3.6.0

Versions Fixed:
3.6.1

SVG Images uploads can execute arbitrary scripts, and introduces the risk of XSS.

Upload of files with the .svg extension will be disabled by default.

Discovered by SEC Consult Singapore Pte. Ltd. (https://www.sec-consult.com/)

Security Releases

SS-2016-017: SVG Uploads