GHSA-52cw-pvq9-9m5v: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE's content loading and content inserting code, identified as GHSA-52cw-pvq9-9m5v. The vulnerability affects TinyMCE v6 where the configuration value convertunsafeembeds is set to false, allowing SVG files containing JavaScript to be used in object tags, potentially enabling XSS attacks. The issue was discovered in Silverstripe Framework versions below 5.2.16 and was patched in version 5.2.16, with a release date of July 17, 2024 (Silverstripe Advisory, GitHub Advisory).

The vulnerability stems from TinyMCE's handling of external SVG files through Object or Embed elements. The issue occurs because the convertunsafeembeds configuration is set to false by default, allowing SVG files containing malicious JavaScript to be loaded through object or embed elements. The vulnerability has been assigned a CVSS v3.1 score of 5.4, indicating moderate severity, with attack vector being Network, attack complexity Low, and requiring Low privileges (GitHub Advisory).

When exploited, this vulnerability could allow attackers to execute cross-site scripting attacks through SVG files containing JavaScript payloads. The impact is considered medium within the context of Silverstripe CMS, affecting both confidentiality and integrity with low severity, while having no impact on availability (Silverstripe Advisory).

The vulnerability has been patched in Silverstripe Framework version 5.2.16 by setting convertunsafeembeds to true by default. After patching, object tags will be automatically converted to iframes when pages are saved. For users who cannot immediately update, developers can implement a custom NodeFilter to remove or modify object or embed elements using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs (GitHub Advisory).