CVE-2024-47605

Cross-site Scripting via insert media remote file oembed in silverstripe-asset-admin

Description

silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 2.03% Top 20%
Affected: silverstripe silverstripe-asset-admin
Published at:
Updated at:

References

Link Tags
https://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82
https://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a
https://www.silverstripe.org/download/security-releases/cve-2024-47605

Frequently Asked Questions

What is the severity of CVE-2024-47605?
CVE-2024-47605 has been scored as a medium severity vulnerability.
How to fix CVE-2024-47605?
To fix CVE-2024-47605, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-47605 being actively exploited in the wild?
It is possible that CVE-2024-47605 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-47605?
CVE-2024-47605 affects silverstripe silverstripe-asset-admin.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.