CVE-2025-30148 MEDIUM

CVE-2025-30148: Silverstripe Framework has a XSS vulnerability in HTML editor

Vendor Silverstripe
Product silverstripe-framework
Weakness CWE-79 · XSS
Published April 10, 2025
Last update April 10, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.

Key dates

02Disclosure timeline

April 10, 2025 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE