GHSA-4q66-g4mm-8rg5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4q66-g4mm-8rg5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4q66-g4mm-8rg5/GHSA-4q66-g4mm-8rg5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4q66-g4mm-8rg5
- Published
- 2023-07-31T22:02:35Z
- Modified
- 2024-12-02T05:44:34.311558Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Silverstripe has Cross-site Scripting (XSS) vulnerabilities inherited from TinyMCE
- Details
-
TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting
silverstripe/admin.Only Silverstripe CMS 4 is affected by this issue. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in
silverstripe/admin.Silverstripe CMS 5 is not affected by those vulnerabilities because it uses TinyMCE 6.
You can find more information about the underlying vulnerabilities in those GitHub security advisories:
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-07-31T22:02:35Z" }- References
-
- https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-4q66-g4mm-8rg5
- https://github.com/silverstripe/silverstripe-admin/commit/cafc1c4de58f1553b019dc2f8a62f835cabdbeb2
- https://github.com/advisories/GHSA-5h9g-x5rv-25wg
- https://github.com/advisories/GHSA-w7jx-j77m-wp65
- https://github.com/silverstripe/silverstripe-admin
Affected packages
Packagist / silverstripe/admin
Package
- Name
- silverstripe/admin
- Purl
- pkg:composer/silverstripe/admin
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.13.6
Affected versions
1.*
1.0.0-alpha6
1.0.0-alpha7
1.0.0-beta1
1.0.0-beta2
1.0.0-beta3
1.0.0-beta4
1.0.0-rc1
1.0.0-rc2
1.0.0-rc3
1.0.0
1.0.1-rc1
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0-rc1
1.1.0-rc2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0-beta1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.3.0-rc1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0-rc1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.5.0-alpha1
1.5.0-rc1
1.5.0-rc2
1.5.0
1.5.1
1.5.2
1.6.0-beta1
1.6.0-rc1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0-beta1
1.7.0-rc1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0-beta1
1.8.0-rc1
1.8.0
1.8.1
1.9.0-alpha1
1.9.0-beta1
1.9.0-rc1
1.9.0
1.10.0-beta1
1.10.0-rc1
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0-beta1
1.11.0-rc1
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0-beta1
1.12.0-rc1
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.13.0-beta1
1.13.0-rc1
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5