CVE-2025-25197 MEDIUM

CVE-2025-25197: Silverstripe Elemental enables XSS attacks in elemental "Content blocks in use" reports

Vendor Silverstripe
Product silverstripe-elemental
Weakness CWE-79 · XSS
Published April 10, 2025
Last update April 10, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field. This vulnerability is fixed in 5.3.12.

Key dates

02Disclosure timeline

April 10, 2025 CVE published
April 10, 2025 Record updated