CVE-2024-47605 — Silverstripe Framework has a XSS via insert media remote file oembed

Description

### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-47605 ## Reported by James Nicoll from [Fujitsu Cyber Security Services](https://www.fujitsu.com/nz/services/security/)

How to fix CVE-2024-47605

To remediate CVE-2024-47605, upgrade the affected package to a fixed version below.

—upgrade to 5.3.8 or later

Is CVE-2024-47605 being exploited?

Moderate — EPSS is 5.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 5.3.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-47605
PATCHgithub.com/silverstripe/silverstripe-framework
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-47605.yaml
WEBgithub.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82