CVE-2017-14498

Name of the Vulnerable Software and Affected Versions SilverStripe CMS versions prior to 3.6.1

Description The issue concerns a mishandled SVG document, which can lead to XSS. This occurs through either the Insert Media option in the content editor or an admin/assets/add pathname. An example of exploitation is demonstrated by the "admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload" URI.

Recommendations For versions prior to 3.6.1, update to version 3.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Insert Media option in the content editor and the admin/assets/add pathname to minimize the risk of exploitation. Avoid using the affected URI until the issue is resolved.