We are releasing two security patches for Silverstripe CMS to address two security vulnerabilities. These vulnerabilities were confidentially reported to us, and we are not aware of any attempt to exploit them before the official disclosure today.
- The first vulnerability has a medium impact and only affects Silverstripe CMS 4.
- The second vulnerability will not impact the vast majority of Silverstripe CMS projects, and affects Silverstripe CMS 4 and 5.
SS-2023-002 Cross-site scripting (XSS) vulnerability in outdated TinyMCE library
This vulnerability only impacts Silverstripe CMS 4 as it is inherited from an outdated third-party dependency in Silverstripe CMS 4. It can not be exploited at will.
An attacker would have to trick a legitimate user with CMS access to exploit this vulnerability.The damage would be limited by the user’s privileges. The vulnerability is considered to have a medium impact due to these mitigating factors.
What does this mean for me?
If you are a Silverstripe CMS 4 user, upgrade the ‘silverstripe/admin’ module to 1.13.6 or greater to remedy this vulnerability.
If you are a Silverstripe CMS 5 user, you are not affected by this vulnerability as all dependencies in CMS 5 have been upgraded to recent versions.
Read the SS-2023-002 security advisory for the technical details of this vulnerability.
CVE-2023-32302 Members with no password can be created and bypass custom login forms
Silverstripe CMS 4 and 5 allow the creation of users without passwords. However, the login form will not let a user authenticate without a password. So a passwordless user cannot use a vanilla Silverstripe CMS site.
We’ve concluded that this vulnerability will have no impact on the vast majority of Silverstripe CMS sites. However, we’ve decided to harden the member creation UI to disallow the creation of passwordless users. Upgrade ‘silverstripe/framework’ to 4.13.12 or 5.0.11 to get this updated behaviour.
What does this mean for me?
You will only be affected by this vulnerability if:
- your project has implemented custom authentication logic that doesn’t block passwordless authentication, and
- a passwordless user has been inadvertently created.
If those two conditions don’t apply to your project, you don’t need to take any immediate action.
If you think your project might be at risk, we recommend updating your custom authentication logic to disallow passwordless authentication. You can also run a task to identify users with no password.
Read the CVE-2023-32302 security advisory for the technical details and a sample task to identify passwordless users.
Planning your upgrade
We recommend Silverstripe CMS projects upgrade as soon as practical.
Neither of these patches are expected to carry a risk of regression.
Keen to get your upgrade underway?
Talk to your Digital Agency or Developer about upgrading
Or reach out to Silverstripe directly to upgrade your project.