Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.
History

Thu, 04 Sep 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Silverstripe
Silverstripe framework
CPEs cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:*
Vendors & Products Silverstripe
Silverstripe framework

Thu, 10 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 10 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.
Title Silverstripe Framework has a XSS vulnerability in HTML editor
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-04-10T13:34:14.930Z

Reserved: 2025-03-17T12:41:42.565Z

Link: CVE-2025-30148

cve-icon Vulnrichment

Updated: 2025-04-10T13:34:06.723Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-10T13:15:51.930

Modified: 2025-09-04T17:13:05.550

Link: CVE-2025-30148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.