SS-2018-004: XSS Vulnerability via WYSIWYG editor

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2018-004
Versions Affected:: silverstripe/admin:^1.0.3, silverstripe/admin:^1.1.0
Versions Fixed:: silverstripe/admin:1.0.4, silverstripe/admin:1.1.1
Release Date:: 2018-05-28

It is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript.

Reported by Jeremy Bates at Heyday Digital (for Aura Information Security)