CVE-2024-47605

MEDIUM

silverstripe-asset-admin - RCE

Title source: llm

Description

silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

exploitdb WORKING POC

by James Nicoll · textwebappsmultiple

https://www.exploit-db.com/exploits/52199

View Code ZIP pw:eip

References (3)

[Various Sources] https://www.silverstripe.org/download/security-releases/cve-2024-47605

[Patch] https://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a

[Vendor Advisory] https://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82

Scores

CVSS v3 5.4

EPSS 0.0398

EPSS Percentile 88.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

silverstripe/framework 0 - 5.3.8Packagist

silverstripe/silverstripe-asset-admin < 5.3.8

Published Jan 14, 2025

Tracked Since Feb 18, 2026