CVE-2020-25817

MEDIUM

SilverStripe < 4.6.0 - XML External Entity Injection in CSSContentParser

Title source: llm
STIX 2.1

Description

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).

References (4)

Core 4
Core References
Vendor Advisory x_refsource_confirm
https://www.silverstripe.org/download/security-releases/
Release Notes, Vendor Advisory x_refsource_misc
https://www.silverstripe.org/blog/tag/release
Release Notes, Vendor Advisory x_refsource_misc
https://forum.silverstripe.org/c/releases

Scores

CVSS v3 4.8
EPSS 0.0082
EPSS Percentile 52.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-611
Status published
Products (3)
silverstripe/framework 4.0.0 - 4.7.4Packagist
silverstripe/silverstripe 4.6.0 rc1
silverstripe/silverstripe < 4.6.0
Published Jun 08, 2021
Tracked Since Feb 18, 2026