First published: Tue Jun 08 2021(Updated: )
SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Silverstripe silverstripe | <4.6.0 | |
Silverstripe silverstripe | =4.6.0-rc1 | |
composer/silverstripe/framework | >=4.0.0<4.7.4 | 4.7.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-25817.
The severity of CVE-2020-25817 is medium with a severity value of 4.8.
SilverStripe versions up to (but not including) 4.6.0-rc1 are affected by CVE-2020-25817.
The Common Weakness Enumeration (CWE) ID for CVE-2020-25817 is CWE-79 and CWE-611.
To fix the XXE Vulnerability in SilverStripe, it is recommended to update to a version higher than 4.6.0-rc1.