Silverstripe

Leo Diamat found a Cross-Site Scripting (XSS) vulnerability in the Silverstripe CMS silverstripe/framework. The vulnerability affects the form messages module in Silverstripe CMS, where user input is sanitised during form creation but not during deletion. As a result, malicious payloads embedded in form entries can execute in the context of an administrator's browser during the deletion process.

22nd January 2025

Introduction

Silverstripe is a popular open-source CMS for creating and maintaining websites. During a client engagement, Leo Diamat discovered a Cross-Site Scripting (XSS) vulnerability within the Silverstripe framework. After reporting the issue to Silverstripe, it was classified as medium severity (CVE-2024-53277). This advisory provides an in-depth look at the vulnerability, detailing its technical aspects, exploitation methods, and the potential risks to users and organisations.

The Silverstripe team responded promptly, identified the root cause, and issued a fix to address the vulnerability.

The Vulnerability

Silverstripe offers the FormMessage class to display notifications and alerts within its forms, such as success messages or warnings. However, improper handling of user input in these messages created a pathway for attackers to inject malicious scripts. This meant that certain content rendered as a notification could execute as code if not adequately sanitised.

An XSS vulnerability arises when a user creates a form entry with malicious input. While the input is sanitised after the entry is created, it is not properly sanitised in the delete notification. This inconsistency in sanitisation results in the execution of scripts during the deletion process, which could be exploited by attackers to escalate privileges and exfiltrate sensitive data.

Proof of Concept

To demonstrate this issue, the following XSS payload can be used when creating an entry that utilises the Silverstripe FormMessage.

Bastion"><img/src/onerror=alert(document.location)>

XSS-payload

After creating the entry, the payload will not execute due to sanitisation being applied. However, when the entry is deleted, a deletion notification appears that does not undergo sanitisation, which results in the execution of the XSS payload.

XSS-triggered

Potential Impact

A threat actor who has gained access to a low-privilege user account on the CMS could craft an XSS payload to escalate their privileges or exfiltrate sensitive data. This could occur when an administrator deletes an entry containing the malicious payload, causing it to execute within the context of the administrator’s browser session and permissions.

How To Fix It

Upgrade to Silverstripe 5.3.8 or greater. Silverstripe has released the patch for all versions affected. More details could be found here.

Vulnerability Disclosure Timeline

26/11/2024 - Issue reported to Silverstripe
15/01/2025 - Patch released and CVE assigned (CVE-2024-53277)
22/01/2025 - Publicly Diclosed

Latest event

Join Us to Celebrate a New Chapter Bastion Security Group + Cythera

27th February 2025

Foxglove, 33 Queens Wharf, Wellington Central

Bastion Security Group is thrilled to invite you to an exclusive event as we celebrate the acquisition of Cythera and introduce our expanded service offering.

See all events

Take the next step and talk to us today.

Let's get started