GHSA-52CW-PVQ9-9M5V
Vulnerability from github – Published: 2024-07-17 16:00 – Updated: 2024-07-22 16:54Impact
TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows svg files containing javascript to be used in <object> or <embed> tags, which can be used as a vector for XSS attacks.
Note that <embed> tags are not allowed by default.
After patching the default value of convert_unsafe_embeds will be set to true. This means that <object> tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved <object> tags. Developers can override this configuration if desired to revert to the original behaviour.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.
References:
- https://www.silverstripe.org/download/security-releases/ss-2024-001
- https://github.com/advisories/GHSA-5359-pvf2-pw78
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T16:00:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nTinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `\u003cobject\u003e` or `\u003cembed\u003e` tags, which can be used as a vector for XSS attacks.\n\nNote that `\u003cembed\u003e` tags are not allowed by default.\n\nAfter patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `\u003cobject\u003e` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `\u003cobject\u003e` tags. Developers can override this configuration if desired to revert to the original behaviour.\n\nWe reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.\n\n### References:\n- https://www.silverstripe.org/download/security-releases/ss-2024-001\n- https://github.com/advisories/GHSA-5359-pvf2-pw78\n\n",
"id": "GHSA-52cw-pvq9-9m5v",
"modified": "2024-07-22T16:54:34Z",
"published": "2024-07-17T16:00:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-52cw-pvq9-9m5v"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-001.yaml"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5359-pvf2-pw78"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/ss-2024-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Silverstripe uses TinyMCE which allows svg files linked in object tags"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.