CVE-2017-14498
published 2017-09-15CVE-2017-14498: SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add…
PriorityP424medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.30%
66.9th percentile
SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | cms | >= 0 < 3.6.1 | 3.6.1 |
| silverstripe | silverstripe | <= 3.6.0 | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Silverstripe CMS XSS Vulnerability
osv·2022-05-17
CVE-2017-14498 [MEDIUM] Silverstripe CMS XSS Vulnerability
Silverstripe CMS XSS Vulnerability
SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017.
GHSA
Silverstripe CMS XSS Vulnerability
ghsa·2022-05-17
CVE-2017-14498 [MEDIUM] CWE-79 Silverstripe CMS XSS Vulnerability
Silverstripe CMS XSS Vulnerability
SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://lists.openwall.net/full-disclosure/2017/09/14/2https://docs.silverstripe.org/en/3/changelogs/3.6.1https://github.com/silverstripe/silverstripe-framework/commit/25b77a2ff8deabe8e8894002b9a5647eaec27b0ahttps://github.com/silverstripe/silverstripe-installer/commit/c25478bef75cc5482852e80a1fa6f1f0e6460e39http://lists.openwall.net/full-disclosure/2017/09/14/2https://docs.silverstripe.org/en/3/changelogs/3.6.1https://github.com/silverstripe/silverstripe-framework/commit/25b77a2ff8deabe8e8894002b9a5647eaec27b0ahttps://github.com/silverstripe/silverstripe-installer/commit/c25478bef75cc5482852e80a1fa6f1f0e6460e39
2017-09-15
Published