CVE-2024-47605: Cross-site Scripting via insert media remote file oembed in silverstripe-asset-admin
First published: Tue Jan 14 2025(Updated: )
### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/silverstripe/framework | <5.3.8 | 5.3.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82
- https://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a
- https://www.silverstripe.org/download/security-releases/cve-2024-47605
- https://github.com/advisories/GHSA-7cmp-cgg8-4c82 (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7cmp-cgg8-4c82
- alias/CVE-2024-47605
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/type
- agent/description
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/severity
- agent/tags
- agent/event
- package-manager/composer