James Nicoll

Name of the Vulnerable Software and Affected Versions: Silverstripe Framework versions prior to 5.3.23 Description: A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. Recommendations: For versions prior to 5.3.23, update to version 5.3.23 to fix the issue.

Name of the Vulnerable Software and Affected Versions: silverstripe-asset-admin versions prior to 5.3.8 silverstripe/framework versions prior to 5.3.8 Description: The issue arises when using the "insert media" functionality, where the linked oEmbed JSON includes an HTML attribute that replaces the embed shortcode. Since the HTML is not sanitized before replacing the shortcode, it allows a script payload to be executed on both the CMS and the front-end of the website. Recommendations: For silverstripe-asset-admin versions prior to 5.3.8, upgrade to version 5.3.8 or later. For silverstripe/framework versions prior to 5.3.8, upgrade to version 5.3.8 or later. As a temporary workaround, consider disabling the "insert media" functionality until a patch is available. Restrict access to the oEmbed JSON endpoint to minimize the risk of exploitation. Avoid using the `insert media` functionality in the affected API endpoint until the issue is resolved.