GHSA-52CW-PVQ9-9M5V Silverstripe uses TinyMCE which allows svg files linked in object tags
Impact TinyMCE v6 has a configuration value convertunsafeembeds set to false which allows svg files containing javascript to be used in or tags, which can be used as a vector for XSS attacks. Note that tags are not allowed by default. After patching the default value of convertunsafeembeds will b...