CVE-2020-25817 — XML External Entity (XXE) Injection in Silverstripe

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.3%

top 42.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe Silverstripe Framework

Timeline

PublishedJun 8

Latest updateMay 24

Description

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year i…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶Packagistsilverstripe/framework4.0.0 — 4.7.4

▶NVDsilverstripe/silverstripe< 4.6.0+1

🔴Vulnerability Details

GHSA

SilverStripe XXE Vulnerability in CSSContentParser↗2022-05-24

▶

OSV

SilverStripe XXE Vulnerability in CSSContentParser↗2022-05-24

▶