silverstripe/framework is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
The silverstripe/framework CMS exposes an Insert media from web feature that renders oEmbed results through EmbedShortcodeProvider. When the resolved embed HTML contains two or fewer tags, sandboxHtml returns it directly into the page instead of isolating it in a sandboxed iframe, so the embed markup runs in the context of the main document. An attacker who controls the embed response can include event-handler attributes such as onload or a javascript: or data: iframe source, causing script to execute in a CMS user's browser. The fix strips unknown and dangerous attributes and rejects unsafe URL schemes on non-sandboxed iframes.
You are affected if you are using a version that falls within the vulnerable range and your CMS lets authors insert media from web (embed) URLs that can be attacker-influenced.
silverstripe/framework is vulnerable to Cross-Site Scripting (XSS) in versions 3.0.0 - 6.2.1.
Upgrade the silverstripe/framework library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant