CVE-2024-32981

Cross-site Scripting vulnerability with encoded payload in silverstripe/framework

Description

Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.18%
Affected: silverstripe silverstripe-framework
Published at:
Updated at:

References

Link Tags
https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg
https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1
https://www.silverstripe.org/download/security-releases/cve-2024-32981

Frequently Asked Questions

What is the severity of CVE-2024-32981?
CVE-2024-32981 has been scored as a medium severity vulnerability.
How to fix CVE-2024-32981?
To fix CVE-2024-32981, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-32981 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-32981 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-32981?
CVE-2024-32981 affects silverstripe silverstripe-framework.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.