XSS Vulnerability in Silverstripe Elemental Page Type
CVE-2025-25197

5.4MEDIUM

Key Information:

Vendor

Silverstripe

Status
Silverstripe-elemental
Vendor
CVE Published:
10 April 2025

What is CVE-2025-25197?

The Silverstripe Elemental extension allows users to create dynamic pages with manageable content elements. A specific vulnerability exists in the 'Content blocks in use' report, where an elemental block can include an XSS payload. This vulnerability stems from improper input handling, which fails to sanitize data, allowing potential execution of harmful scripts when the report is viewed. The issue has been addressed in version 5.3.12, highlighting the importance of updating to secure the application.

Affected Version(s)

silverstripe-elemental >= 2.1.2, < 5.3.12

References

https://github.com/silverstripe/silverstripe-elemental/se...
x_refsource_CONFIRM
https://github.com/silverstripe/silverstripe-elemental/co...
x_refsource_MISC
https://www.silverstripe.org/download/security-releases/C...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.