GHSA-jxcx-3h54-qqxx

Suggest an improvement
Source
https://github.com/advisories/GHSA-jxcx-3h54-qqxx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-jxcx-3h54-qqxx/GHSA-jxcx-3h54-qqxx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jxcx-3h54-qqxx
Published
2023-08-23T19:43:56Z
Modified
2024-11-29T05:40:04.243017Z
Summary
SilverStripe CMS Cross-site Scripting vulnerabilities inherited from TinyMCE
Details

TinyMCE 4.x is vulnerable to several XSS vectors, which had been patched in later versions. Two of these have been identified as affecting silverstripe/admin.

Only Silverstripe CMS 4 is affected by these vulnerabilities. It's not possible to upgrade Silverstripe CMS 4 to use a more recent release of TinyMCE without introducing breaking changes. Instead, the security patches that shipped in later releases of TinyMCE have been backported to the TinyMCE version bundled in silverstripe/admin.

Silverstripe CMS 5 is not affected by these vulnerabilities because it uses TinyMCE 6.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-23T19:43:56Z"
}
References

Affected packages

Packagist / silverstripe/admin

Package

Name
silverstripe/admin
Purl
pkg:composer/silverstripe/admin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.13.6

Affected versions

1.*

1.0.0
1.0.1-rc1
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0-rc1
1.1.0-rc2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0-beta1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.3.0-rc1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0-rc1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.5.0-alpha1
1.5.0-rc1
1.5.0-rc2
1.5.0
1.5.1
1.5.2
1.6.0-beta1
1.6.0-rc1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0-beta1
1.7.0-rc1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0-beta1
1.8.0-rc1
1.8.0
1.8.1
1.9.0-alpha1
1.9.0-beta1
1.9.0-rc1
1.9.0
1.10.0-beta1
1.10.0-rc1
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0-beta1
1.11.0-rc1
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0-beta1
1.12.0-rc1
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.13.0-beta1
1.13.0-rc1
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5