CVE-2024-47605
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in SilverStripe's asset-admin module. When users insert media via the CMS, malicious JavaScript can be injected and executed in both the admin interface and public website. All SilverStripe installations using vulnerable versions of the framework are affected.
💻 Affected Systems
- silverstripe/framework
- silverstripe-asset-admin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.
Likely Case
Attackers with CMS access could inject persistent XSS payloads affecting all website visitors, potentially stealing session data or credentials.
If Mitigated
With proper input validation and output encoding, the risk is limited to authenticated CMS users only.
🎯 Exploit Status
Exploitation requires authenticated CMS access but is straightforward once access is obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: silverstripe/framework 5.3.8
Vendor Advisory: https://www.silverstripe.org/download/security-releases/cve-2024-47605
Restart Required: No
Instructions:
1. Update composer.json to require 'silverstripe/framework': '^5.3.8' 2. Run 'composer update silverstripe/framework' 3. Clear SilverStripe cache via 'vendor/bin/sake dev/build flush=all'
🔧 Temporary Workarounds
Disable oEmbed functionality
allRemove or disable the 'insert media' functionality that triggers the vulnerable oEmbed processing
🧯 If You Can't Patch
- Restrict CMS access to trusted users only and implement strict access controls
- Implement web application firewall (WAF) rules to block XSS payloads in oEmbed responses
🔍 How to Verify
Check if Vulnerable:
Check composer.lock for 'silverstripe/framework' version below 5.3.8Check Version:
composer show silverstripe/framework | grep versionsVerify Fix Applied:
Confirm 'silverstripe/framework' version is 5.3.8 or higher in composer.lock📡 Detection & Monitoring
Log Indicators:
- Unusual oEmbed requests in CMS logs
- Multiple failed media insertion attempts
Network Indicators:
- Suspicious JavaScript payloads in HTTP POST requests to media endpoints
SIEM Query:
source='web_logs' AND (uri_path LIKE '%/admin/assets/insert-media%' OR uri_path LIKE '%/admin/assets/embed%') AND (http_method='POST' AND (request_body LIKE '%<script%' OR request_body LIKE '%javascript:%'))