Silverstripe Framework has a XSS via insert media remote file oembed

Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website...

GHSA-7CMP-CGG8-4C82 Silverstripe Framework has a XSS via insert media remote file oembed

Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website...

Cross-site Scripting (XSS)

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the insert media functionality where the linked oEmbed JSON includes an HTML attribute which replaces the embed shortcode...

PT-2024-11506 · WordPress · Adrotate Banner Manager

Name of the Vulnerable Software and Affected Versions: The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress versions up to, and including, 5.13.2 Description: The issue is related to arbitrary file uploads due to missing file extension sanitization in the adrotate...

GHSA-J696-6M57-MCRV Silverstripe CMS XSS Vulnerability

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by 1 the Insert Media option in the content editor or 2 an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017...

Silverstripe CMS XSS Vulnerability

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by 1 the Insert Media option in the content editor or 2 an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017...

Cross-site Scripting (XSS) Through SVG Documents

silverstripe/installer and silverstripe/framework are vulnerable to cross-site scripting XSS attacks. These attacks are possible because the Insert Media option within the content editor, and the pathname in admin/assests/add allow attackers to insert SVG documents containing arbitrary javascript...

Code injection

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by 1 the Insert Media option in the content editor or 2 an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017...

CVE-2017-14498

SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by 1 the Insert Media option in the content editor or 2 an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017...