Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2025-25197 XSS attack in elemental "Content blocks in use" report

CVE-2025-25197 XSS attack in elemental "Content blocks in use" report

Severity:
Medium (?)
Identifier:
CVE-2025-25197
Versions Affected:
dnadesign/silverstripe-elemental: <5.3.12
Versions Fixed:
dnadesign/silverstripe-elemental: 5.3.12
Release Date:
2025-04-10

An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report.

The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field.

Base CVSS: 5.4
Reported by: Guy Sartorelli from Silverstripe Ltd.