Headline
GHSA-4q66-g4mm-8rg5: Silverstripe has Cross-site Scripting (XSS) vulnerabilities inherited from TinyMCE
TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.
Only Silverstripe CMS 4 is affected by this issue. It’s not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.
Silverstripe CMS 5 is not affected by those vulnerabilities because it uses TinyMCE 6.
You can find more information about the underlying vulnerabilities in those GitHub security advisories:
Package
composer silverstripe/admin (Composer)
Affected versions
< 1.13.6
Patched versions
1.13.6
Description
TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.
Only Silverstripe CMS 4 is affected by this issue. It’s not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.
Silverstripe CMS 5 is not affected by those vulnerabilities because it uses TinyMCE 6.
You can find more information about the underlying vulnerabilities in those GitHub security advisories:
- GHSA-5h9g-x5rv-25wg Cross-site scripting vulnerability in TinyMCE
- GHSA-w7jx-j77m-wp65 Cross-site scripting vulnerability in TinyMCE
References
- GHSA-4q66-g4mm-8rg5
- silverstripe/silverstripe-admin@cafc1c4
- GHSA-5h9g-x5rv-25wg
- GHSA-w7jx-j77m-wp65
maxime-rainville published to silverstripe/silverstripe-admin
Jul 31, 2023
Published to the GitHub Advisory Database
Jul 31, 2023
Reviewed
Jul 31, 2023