Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6epx-c68d-d7bv
Vulnerability ID VCID-6epx-c68d-d7bv
Aliases CVE-2024-53277
GHSA-ff6q-3c9c-6cf5
Summary Silverstripe Framework has a XSS in form messages In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-53277 ## Reported by Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
epss 0.01074 https://api.first.org/data/v1/epss?cve=CVE-2024-53277
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-ff6q-3c9c-6cf5
cvssv3.1 5.4 https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-53277.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-53277.yaml
cvssv3.1 5.4 https://github.com/silverstripe/silverstripe-framework
generic_textual MODERATE https://github.com/silverstripe/silverstripe-framework
cvssv3.1 5.4 https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00
generic_textual MODERATE https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00
ssvc Track https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00
cvssv3.1 5.4 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
cvssv3.1_qr MODERATE https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
generic_textual MODERATE https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
ssvc Track https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2024-53277
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-53277
cvssv3.1 5.4 https://www.silverstripe.org/download/security-releases/cve-2024-53277
generic_textual MODERATE https://www.silverstripe.org/download/security-releases/cve-2024-53277
ssvc Track https://www.silverstripe.org/download/security-releases/cve-2024-53277
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-53277
https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-53277.yaml
https://github.com/silverstripe/silverstripe-framework
https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00
https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
https://nvd.nist.gov/vuln/detail/CVE-2024-53277
https://www.silverstripe.org/download/security-releases/cve-2024-53277
GHSA-ff6q-3c9c-6cf5 https://github.com/advisories/GHSA-ff6q-3c9c-6cf5
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-53277.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/silverstripe/silverstripe-framework
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:52:17Z/ Found at https://github.com/silverstripe/silverstripe-framework/commit/74904f539347b7d1f8c5b5fb9e28d62ff251ee00
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:52:17Z/ Found at https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-ff6q-3c9c-6cf5
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-53277
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://www.silverstripe.org/download/security-releases/cve-2024-53277
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T14:52:17Z/ Found at https://www.silverstripe.org/download/security-releases/cve-2024-53277
Exploit Prediction Scoring System (EPSS)
Percentile 0.77712
EPSS Score 0.01074
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:55:23.505064+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-ff6q-3c9c-6cf5/GHSA-ff6q-3c9c-6cf5.json 38.0.0