Server-Side Sanitization Fix Released for Silverstripe CMS to Address XSS Vulnerability
CVE-2024-32981

5.4MEDIUM

Key Information:

Vendor

Silverstripe

Status
Silverstripe-framework
Vendor
CVE Published:
17 July 2024

What is CVE-2024-32981?

Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

silverstripe-framework < 5.2.16

References

https://github.com/silverstripe/silverstripe-framework/se...
x_refsource_CONFIRM
https://github.com/silverstripe/silverstripe-framework/co...
x_refsource_MISC
https://www.silverstripe.org/download/security-releases/c...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.