SS-2024-001 TinyMCE allows svg files linked in object tags
- Severity:
- Medium (?)
- Identifier:
- SS-2024-001
- Versions Affected:
- silverstripe/framework: <5.2.16
- Versions Fixed:
- silverstripe/framework: 5.2.16
TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows svg files containing javascript to saved which can be used as a vector for XSS attacks
After patching the default value of convert_unsafe_embeds will be set to true. This means that object tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved object tags. Users are to override this config if desired so that object tags are again used instead of iframes. Note that embed tags are not allowed by default.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.
This vulnerability was described by TinyMCE as follows:
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.
Base CVSS: 5.4
Reported by: Steve Boyd - Silverstripe CMS Squad
