SilverStripe CMS Cross-site Scripting vulnerabilities inherited from TinyMCE

TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.

Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.

Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.

Published: Aug 23, 2023
Updated: Aug 24, 2023
GHSA: GHSA-jxcx-3h54-qqxx
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
silverstripe / admin	1.0.0	1.13.6

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/SS-2023-002.yaml
https://www.silverstripe.org/download/security-releases/SS-2023-002

Vulnerability Database

SilverStripe CMS Cross-site Scripting vulnerabilities inherited from TinyMCE