Package Instance

Improper Input Validation
Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.

Silverstripe Framework has a XSS in form messages
In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message.

Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability.

### References

- https://www.silverstripe.org/download/security-releases/cve-2024-53277

## Reported by

Leo Diamat from [Bastion Security Group](http://www.bastionsecurity.co.nz/)

Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
### Impact
If a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user.

**Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C&version=3.1)
**Reported by:** Nick K - LittleMonkey, [littlemonkey.co.nz](http://littlemonkey.co.nz/)

### References
- https://www.silverstripe.org/download/security-releases/CVE-2023-48714

Silverstripe Framework has a XSS vulnerability in HTML editor
### Impact

A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.

The server-side sanitisation logic has been updated to sanitise against this attack.

### Reported by

James Nicoll from Fujitsu Cyber

### References

- https://www.silverstripe.org/download/security-releases/cve-2025-30148

Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message
> [!IMPORTANT]
> This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode.
> See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information.

If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.

## References

- https://www.silverstripe.org/download/security-releases/ss-2024-002

## Reported by

Gaurav Nayak from [Chaleit](https://chaleit.com/)

Silverstripe uses TinyMCE which allows svg files linked in object tags
### Impact
TinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `<object>` or `<embed>` tags, which can be used as a vector for XSS attacks.

Note that `<embed>` tags are not allowed by default.

After patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `<object>` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `<object>` tags. Developers can override this configuration if desired to revert to the original behaviour.

We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.

### References:
- https://www.silverstripe.org/download/security-releases/ss-2024-001
- https://github.com/advisories/GHSA-5359-pvf2-pw78

Silverstripe Framework has a XSS via insert media remote file oembed
### Impact

When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.

## References

- https://www.silverstripe.org/download/security-releases/cve-2024-47605

## Reported by

James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)

Reflected Cross Site Scripting (XSS) in error message
If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.

Silverstripe Framework user enumeration via timing attack on login and password reset forms
### Impact
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.

This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+

### References

- https://www.silverstripe.org/download/security-releases/ss-2017-005
- https://www.silverstripe.org/download/security-releases/ss-2025-001

Silverstripe Framework has a Cross-site Scripting vulnerability with encoded payload
### Impact
A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.

The server-side sanitisation logic has been updated to sanitise against this type of attack.

### References
- https://www.silverstripe.org/download/security-releases/cve-2024-32981