Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-47605Cross-site Scripting in Silverstripe-asset-admin

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
4.0%
top 11.59%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Silverstripe Silverstripe-asset-adminSilverstripe Framework
Timeline
PublishedJan 14
Latest updateApr 14

Description

silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds f

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

Packagistsilverstripe/framework< 5.3.8

🔴Vulnerability Details

2
OSV
Silverstripe Framework has a XSS via insert media remote file oembed2025-01-14
GHSA
Silverstripe Framework has a XSS via insert media remote file oembed2025-01-14

💥Exploits & PoCs

1
Exploit-DB
SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)2025-04-14