Description
Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field. This vulnerability is fixed in 5.3.12.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/silverstripe/silverstripe-elemental/security/advisories/GHSA-x8xm-c7p8-2pj2
Patch x_refsource_misc
https://github.com/silverstripe/silverstripe-elemental/commit/34ff4ed498ccab94cc5f55ef9a56c37f491eda1d
Various Sources x_refsource_misc
https://www.silverstripe.org/download/security-releases/CVE-2025-25197
Scores
CVSS v3
5.4
EPSS
0.0017
EPSS Percentile
38.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
dnadesign/silverstripe-elemental
2.1.2 - 5.3.12Packagist
silverstripe/silverstripe-elemental
>= 2.1.2, < 5.3.12
Published
Apr 10, 2025
Tracked Since
Feb 18, 2026