CVE-2024-47605

MEDIUM

Silverstripe asset-admin < 5.3.8 - oEmbed Cross-Site Scripting

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-47605. PoCs published by James Nicoll.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in SilverStripe CMS versions up to 5.2.22. By leveraging the 'insert media' functionality, an attacker can inject malicious JavaScript via an oEmbed JSON payload, which is not sanitized before being rendered on both the CMS and frontend.

Description

silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. This issue has been addressed in silverstripe/framework version 5.3.8 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

exploitdb WORKING POC

by James Nicoll · textwebappsmultiple

https://www.exploit-db.com/exploits/52199

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in SilverStripe CMS versions up to 5.2.22. By leveraging the 'insert media' functionality, an attacker can inject malicious JavaScript via an oEmbed JSON payload, which is not sanitized before being rendered on both the CMS and frontend.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: SilverStripe CMS 5.2.22

Auth required

Prerequisites: Valid login credentials for a user with page edit rights · Attacker-controlled server hosting malicious oEmbed JSON and HTML files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/silverstripe/silverstripe-asset-admin/security/advisories/GHSA-7cmp-cgg8-4c82

Patch x_refsource_misc

https://github.com/silverstripe/silverstripe-framework/commit/09b5052c86932f273e0d733428c9aade70ff2a4a

View Patch ZIP pw:eip

Various Sources x_refsource_misc

https://www.silverstripe.org/download/security-releases/cve-2024-47605

Scores

CVSS v3 5.4

EPSS 0.0711

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

silverstripe/framework 0 - 5.3.8Packagist

silverstripe/silverstripe-asset-admin < 5.3.8

Published Jan 14, 2025

Tracked Since Feb 18, 2026