Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-25817

Date: June 8, 2021

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).

Language: PHP

Severity Score

Related Resources (9)

https://forum.silverstripe.org/c/releases
https://www.silverstripe.org/download/security-releases/cve-2020-25817
https://www.silverstripe.org/blog/tag/release
https://nvd.nist.gov/vuln/detail/CVE-2020-25817
https://www.silverstripe.org/download/security-releases/cve-2021-25817
https://www.silverstripe.org/download/security-releases
https://github.com/silverstripe/silverstripe-framework
https://www.silverstripe.org/download/security-releases/
https://www.mend.io/vulnerability-database/CVE-2020-25817

Severity Score

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): SINGLE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us