CVE-2020-25817

Опубликовано: 08 июн. 2021

Источник: nvd

CVSS3: 4.8

CVSS2: 3.5

EPSS Низкий

Описание

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).

Ссылки

https://forum.silverstripe.org/c/releases
Release Notes
Vendor Advisory
https://www.silverstripe.org/blog/tag/release
Release Notes
Vendor Advisory
https://www.silverstripe.org/download/security-releases/
Vendor Advisory
https://www.silverstripe.org/download/security-releases/cve-2020-25817
Broken Link
https://forum.silverstripe.org/c/releases
Release Notes
Vendor Advisory
https://www.silverstripe.org/blog/tag/release
Release Notes
Vendor Advisory
https://www.silverstripe.org/download/security-releases/
Vendor Advisory
https://www.silverstripe.org/download/security-releases/cve-2020-25817
Broken Link

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*

Версия до 4.6.0 (исключая)

cpe:2.3:a:silverstripe:silverstripe:4.6.0:rc1:*:*:*:*:*:*

EPSS

Процентиль: 57%

0.00348

Низкий

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-3vjc-5x79-m9r8