Vulnerability Description
Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field. This vulnerability is fixed in 5.3.12.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/silverstripe/silverstripe-elemental/commit/34ff4ed498ccab94cc
- https://github.com/silverstripe/silverstripe-elemental/security/advisories/GHSA-
- https://www.silverstripe.org/download/security-releases/CVE-2025-25197
FAQ
What is CVE-2025-25197?
CVE-2025-25197 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS pa...
How severe is CVE-2025-25197?
CVE-2025-25197 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-25197?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.