CVE-2017-14498 — Cross-site Scripting in CMS

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 40.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe CMS Silverstripe

Timeline

PublishedSep 15

Latest updateMay 17

Description

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Packagistsilverstripe/cms< 3.6.1

▶NVDsilverstripe/silverstripe3.6.0

🔴Vulnerability Details

OSV

Silverstripe CMS XSS Vulnerability↗2022-05-17

▶

GHSA

Silverstripe CMS XSS Vulnerability↗2022-05-17

▶