CVE-2025-30148: Silverstripe Framework has a XSS vulnerability in HTML editor

5.4 CVSS

Description

Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. Prior to 5.3.23, bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitized on the client-side, but server-side sanitization doesn't catch it. The server-side sanitization logic has been updated to sanitize against this attack. This vulnerability is fixed in 5.3.23.

Classification

CVE ID: CVE-2025-30148

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: silverstripe

Product: silverstripe-framework

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.72% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30148
https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-rhx4-hvx9-j387
https://github.com/silverstripe/silverstripe-framework/commit/e99cfd62d160d145a76fcf9631e6b11226e42358
https://www.silverstripe.org/download/security-releases/cve-2025-30148

Timeline

2025-04-10 13:40:16 UTC
CVE

Silverstripe Framework has a XSS vulnerability in HTML editor
2025-04-10 19:30:41 UTC
Github Advisory Database (Composer)

[silverstripe/framework] Silverstripe Framework has a XSS vulnerability in HTML editor