GHSA-jxcx-3h54-qqxx

Опубликовано: 23 авг. 2023

Источник: github

Github: Прошло ревью

Описание

SilverStripe CMS Cross-site Scripting vulnerabilities inherited from TinyMCE

TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.

Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.

Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.

Ссылки

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/SS-2023-002.yaml
https://www.silverstripe.org/download/security-releases/SS-2023-002

Пакеты

Наименование

silverstripe/admin

composer

Затронутые версииВерсия исправления

>= 1.0.0, < 1.13.6

1.13.6

Дефекты

CWE-79

Дефекты

CWE-79