Steve Boyd

**Name of the Vulnerable Software and Affected Versions** Silverstripe silverstripe/framework versions through 4.11 **Description** The issue allows for an XSS vulnerability via the `href` attribute of a link. A malicious content author could add a JavaScript payload to the `href` attribute. This is similar to a previously identified issue, but the fix for that issue did not account for the casing of the `href` attribute. An attacker must have access to the CMS to exploit this issue. **Recommendations** For versions through 4.11, as a temporary workaround, consider restricting access to the CMS to minimize the risk of exploitation. Avoid using the `href` attribute in links within the CMS until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Silverstripe silverstripe/framework versions 4.11.0 and earlier Silverstripe silverstripe/assets versions 1.11.0 and earlier Silverstripe silverstripe/asset-admin versions 1.11.0 and earlier **Description** The issue allows for cross-site scripting (XSS) attacks. A malicious content author could add arbitrary attributes to HTML editor shortcodes, potentially injecting a JavaScript payload on the site's front end. The shortcode providers that ship with Silverstripe CMS have been reviewed, and attribute whitelists have been implemented where necessary to mitigate this risk. **Recommendations** For silverstripe/framework versions 4.11.0 and earlier, update to a version that includes the attribute whitelists for shortcode providers. For silverstripe/assets versions 1.11.0 and earlier, update to a version that includes the attribute whitelists for shortcode providers. For silverstripe/asset-admin versions 1.11.0 and earlier, update to a version that includes the attribute whitelists for shortcode providers. As a temporary workaround, consider restricting the ability to add arbitrary attributes to HTML editor shortcodes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SilverStripe versions prior to 4.4 **Description** The issue arises from a missing warning about leaving install.php in a public webroot, which can lead to unauthenticated admin access. **Recommendations** For SilverStripe versions prior to 4.4, remove or restrict access to install.php to prevent unauthenticated admin access.