CVE-2024-47605

Name of the Vulnerable Software and Affected Versions: silverstripe-asset-admin versions prior to 5.3.8 silverstripe/framework versions prior to 5.3.8

Description: The issue arises when using the "insert media" functionality, where the linked oEmbed JSON includes an HTML attribute that replaces the embed shortcode. Since the HTML is not sanitized before replacing the shortcode, it allows a script payload to be executed on both the CMS and the front-end of the website.

Recommendations: For silverstripe-asset-admin versions prior to 5.3.8, upgrade to version 5.3.8 or later. For silverstripe/framework versions prior to 5.3.8, upgrade to version 5.3.8 or later. As a temporary workaround, consider disabling the "insert media" functionality until a patch is available. Restrict access to the oEmbed JSON endpoint to minimize the risk of exploitation. Avoid using the insert media functionality in the affected API endpoint until the issue is resolved.