CVE-2024-47605: 
PHP vulnerability analysis and mitigation

CVE-2024-47605 affects the silverstripe-asset-admin, a Silverstripe assets gallery for asset management. The vulnerability was discovered in January 2025 and affects versions prior to silverstripe/framework 5.3.8. The issue occurs when using the "insert media" functionality, where the linked oEmbed JSON includes an HTML attribute that replaces the embed shortcode without proper sanitization (GitHub Advisory, Silverstripe Security).

The vulnerability stems from insufficient HTML sanitization in the embed shortcode replacement process. When the oEmbed JSON response contains HTML content, it is directly replaced into the shortcode without proper sanitization, allowing script payloads to be executed. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating that it requires user interaction but can be exploited remotely without authentication (NVD).

The vulnerability allows attackers to execute arbitrary script payloads in both the CMS and the front-end of the website. This can lead to cross-site scripting (XSS) attacks, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of authenticated users (GitHub Advisory).

The vulnerability has been fixed in silverstripe/framework version 5.3.8. Users are strongly advised to upgrade to this version. Additionally, administrators can configure embed sandboxing as detailed in the Silverstripe documentation to help mitigate similar issues. There are no known workarounds for this vulnerability other than upgrading to the patched version (Silverstripe Security).