Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00cTY2LWc0bW0tOHJnNc4AA0-O

Silverstripe has Cross-site Scripting (XSS) vulnerabilities inherited from TinyMCE

TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.

Only Silverstripe CMS 4 is affected by this issue. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.

Silverstripe CMS 5 is not affected by those vulnerabilities because it uses TinyMCE 6.

You can find more information about the underlying vulnerabilities in those GitHub security advisories:

• GHSA-5h9g-x5rv-25wg Cross-site scripting vulnerability in TinyMCE
• GHSA-w7jx-j77m-wp65 Cross-site scripting vulnerability in TinyMCE

Permalink: https://github.com/advisories/GHSA-4q66-g4mm-8rg5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cTY2LWc0bW0tOHJnNc4AA0-O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-4q66-g4mm-8rg5
References:

• https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-4q66-g4mm-8rg5
• https://github.com/silverstripe/silverstripe-admin/commit/cafc1c4de58f1553b019dc2f8a62f835cabdbeb2
• https://github.com/advisories/GHSA-5h9g-x5rv-25wg
• https://github.com/advisories/GHSA-w7jx-j77m-wp65
• https://github.com/advisories/GHSA-4q66-g4mm-8rg5

Repository: https://github.com/silverstripe/silverstripe-admin
Blast Radius: 14.8

Affected Packages