Silverstripe admin XSS Vulnerability via WYSIWYG editor
It is possible for a bad actor with access to the CMS to make use of onmouseover or onmouseout attributes in the WYSIWYG editor to embed malicious javascript.
Advisories for Composer/Silverstripe/Admin package
2024
Incorrect Authorization
Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit …
2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in silverstripe/admin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in silverstripe/admin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in silverstripe/admin.
2022
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
2021
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
SilverStripe Framework through 4.8.1 allows XSS.