Home > Vulnerability Database > CVE-2025-25197

Mend.io Vulnerability Database

CVE-2025-25197

Good to know:

Date: April 10, 2025

Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field. This vulnerability is fixed in 5.3.12.

Severity Score

5.4

Related Resources (8)

Url: https://github.com/silverstripe/silverstripe-elemental/commit/34ff4ed498ccab94cc5f55ef9a56c37f491eda1d

Url: https://github.com/silverstripe/silverstripe-elemental/pull/1345

Url: https://github.com/silverstripe/silverstripe-elemental/security/advisories/GHSA-x8xm-c7p8-2pj2

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/dnadesign/silverstripe-elemental/CVE-2025-25197.yaml

Url: https://github.com/silverstripe/silverstripe-elemental

Url: https://www.silverstripe.org/download/security-releases/CVE-2025-25197

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25197

Url: https://www.mend.io/vulnerability-database/CVE-2025-25197

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version dnadesign/silverstripe-elemental - 5.3.12

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25197

Good to know:

Date: April 10, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?