Silverstripe HtmlEditor embed url sanitisation

"Add from URL" doesn't clearly sanitise URL server side

HtmlEditorField_Toolbar has an action HtmlEditorField_Toolbar#viewfile, which gets called by the CMS when adding a media "from a URL" (i.e. via oembed).

This action gets the URL to add in the GET parameter FileURL. However it doesn't do any URL sanitising server side. The current logic will pass this through to Oembed, which will probably reject most dangerous URLs, but it's possible future changes would break this.

Published: May 23, 2024
Updated: Jun 27, 2024
GHSA: GHSA-qp29-wcc2-vmpc
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.0.0	3.2.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-027-1.yaml
https://www.silverstripe.org/download/security-releases/ss-2015-027

Vulnerability Database

Silverstripe HtmlEditor embed url sanitisation