Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2024-47605 XSS via insert media remote file oembed

CVE-2024-47605 XSS via insert media remote file oembed

Severity:
Medium (?)
Identifier:
CVE-2024-47605
Versions Affected:
silverstripe/framework: <5.3.8
Versions Fixed:
silverstripe/framework: 5.3.8
Release Date:
2025-01-15

When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.

See https://docs.silverstripe.org/en/developer_guides/forms/field_types/htmleditorfield/#sandboxing-oembed-html for details about configuring embed sandboxing.

Base CVSS: 5.4
Reported by: James Nicoll from Fujitsu Cyber Security Services