GHSA-52cw-pvq9-9m5v

Suggest an improvement
Source
https://github.com/advisories/GHSA-52cw-pvq9-9m5v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-52cw-pvq9-9m5v/GHSA-52cw-pvq9-9m5v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-52cw-pvq9-9m5v
Published
2024-07-17T16:00:48Z
Modified
2024-07-22T17:01:01.047122Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Silverstripe uses TinyMCE which allows svg files linked in object tags
Details

Impact

TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows svg files containing javascript to be used in <object> or <embed> tags, which can be used as a vector for XSS attacks.

Note that <embed> tags are not allowed by default.

After patching the default value of convert_unsafe_embeds will be set to true. This means that <object> tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved <object> tags. Developers can override this configuration if desired to revert to the original behaviour.

We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.

References:

  • https://www.silverstripe.org/download/security-releases/ss-2024-001
  • https://github.com/advisories/GHSA-5359-pvf2-pw78
References

Affected packages

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.16

Affected versions

2.*

2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.5.0

3.*

3.0.2.1
3.0.3-rc1
3.0.3-rc2
3.0.3
3.0.4
3.0.5
3.0.6-rc1
3.0.6-rc2
3.0.6
3.0.7-rc1
3.0.7
3.0.8
3.0.9-rc1
3.0.9
3.0.10-rc1
3.0.10
3.0.11-rc1
3.0.11
3.0.12
3.0.13
3.0.14
3.1.0-beta1
3.1.0-beta2
3.1.0-beta3
3.1.0-rc1
3.1.0-rc2
3.1.0-rc3
3.1.0
3.1.1
3.1.2-rc1
3.1.2
3.1.3-rc1
3.1.3-rc2
3.1.3
3.1.4-rc1
3.1.4
3.1.5-rc1
3.1.5
3.1.6-rc1
3.1.6-rc2
3.1.6-rc3
3.1.6
3.1.7-rc1
3.1.7
3.1.8
3.1.9-rc1
3.1.9
3.1.10-rc1
3.1.10-rc2
3.1.10
3.1.11-rc1
3.1.11
3.1.12
3.1.13-rc1
3.1.13
3.1.14-rc1
3.1.14
3.1.15
3.1.16-rc1
3.1.16
3.1.17-rc1
3.1.17-rc2
3.1.17
3.1.18-rc1
3.1.18-rc2
3.1.18
3.1.19-rc1
3.1.19
3.1.20-rc1
3.1.20-rc2
3.1.20
3.1.21
3.2.0-beta1
3.2.0-beta2
3.2.0-rc1
3.2.0-rc2
3.2.0
3.2.1-rc1
3.2.1-rc2
3.2.1
3.2.2-rc1
3.2.2-rc2
3.2.2
3.2.3-rc1
3.2.3-rc2
3.2.3
3.2.4-rc1
3.2.4
3.2.5-rc1
3.2.5-rc2
3.2.5
3.2.6
3.3.0-beta1
3.3.0-rc1
3.3.0-rc2
3.3.0-rc3
3.3.0
3.3.1-rc1
3.3.1-rc2
3.3.1
3.3.2-rc1
3.3.2
3.3.3-rc1
3.3.3-rc2
3.3.3
3.3.4
3.4.0-rc1
3.4.0
3.4.1-rc1
3.4.1-rc2
3.4.1
3.4.2
3.4.3-rc1
3.4.3
3.4.4-rc1
3.4.4
3.4.5-rc1
3.4.5
3.4.6-rc1
3.4.6-rc2
3.4.6
3.5.0-rc1
3.5.0-rc2
3.5.0-rc3
3.5.0
3.5.1-rc1
3.5.1-rc2
3.5.1
3.5.2-rc1
3.5.2
3.5.3-rc1
3.5.3
3.5.4-rc1
3.5.4
3.5.5-beta1
3.5.5-beta2
3.5.5
3.5.6-rc1
3.5.6
3.5.7
3.5.8-rc1
3.5.8
3.6.0-beta1
3.6.0-beta2
3.6.0-rc1
3.6.0
3.6.1-alpha2
3.6.1
3.6.2-beta1
3.6.2-beta2
3.6.2
3.6.3-rc2
3.6.3
3.6.4
3.6.5
3.6.6-rc1
3.6.6
3.6.7
3.6.8
3.7.0
3.7.1-rc1
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7

4.*

4.0.0-alpha1
4.0.0-alpha2
4.0.0-alpha3
4.0.0-alpha4
4.0.0-alpha5
4.0.0-alpha6
4.0.0-alpha7
4.0.0-beta1
4.0.0-beta2
4.0.0-beta3
4.0.0-beta4
4.0.0-rc1
4.0.0-rc2
4.0.0-rc3
4.0.0
4.0.1-rc1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0-rc1
4.1.0-rc2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.2.0-beta1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-rc1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0-rc1
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5.0-alpha1
4.5.0-rc1
4.5.0-rc2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.6.0-beta1
4.6.0-rc1
4.6.0
4.6.1
4.6.2
4.7.0-beta1
4.7.0-rc1
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.8.0-beta1
4.8.0-rc1
4.8.0
4.8.1
4.9.0-alpha1
4.9.0-beta1
4.9.0-rc1
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.10.0-beta1
4.10.0-rc1
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.10.9
4.10.10
4.10.11
4.11.0-beta1
4.11.0-beta2
4.11.0-beta3
4.11.0-rc1
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.11.6
4.11.7
4.11.8
4.11.9
4.11.10
4.11.11
4.11.12
4.11.13
4.11.14
4.11.15
4.11.16
4.12.0-beta1
4.12.0-rc1
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.13.0-beta1
4.13.0-rc1
4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
4.13.40
4.13.41
4.13.42
4.13.43
4.13.44

5.*

5.0.0-alpha1
5.0.0-beta1
5.0.0-beta2
5.0.0-beta3
5.0.0-rc1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.0.23
5.1.0-beta1
5.1.0-rc1
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.1.23
5.2.0-beta1
5.2.0-rc1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.14
5.2.15