4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-25817

GHSA ID

GHSA-3vjc-5x79-m9r8

EPSS Score

0.56709%

CWE

CWE-611

Published

5/24/2022

Updated

4/25/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-25817

CVE-2020-25817:
SilverStripe XXE Vulnerability in CSSContentParser

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-25817

GHSA ID

GHSA-3vjc-5x79-m9r8

EPSS Score

0.56709%

CWE

CWE-611

Published

5/24/2022

Updated

4/25/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/framework	composer	>= 4.0.0, < 4.7.4	4.7.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from XML parsing in CSSContentParser allowing external entities. Though the class is intended for test purposes, its misuse with user-controlled data made it vulnerable. The patch explicitly disabled external entities (LIBXML_NOENT), confirming the root cause was insecure XML parsing configuration in this component. The primary vulnerable function would be the HTML/XML parsing logic within CSSContentParser initialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rStrip* t*rou** *.*.*-r** **s *n XX* Vuln*r**ility in *SS*ont*ntP*rs*r. * **v*lop*r utility m**nt *or p*rsin* *TML wit*in unit t*sts **n ** vuln*r**l* to XML *xt*rn*l *ntity (XX*) *tt**ks. W**n t*is **v*lop*r utility is misus** *or purpos*s invo

Reasoning

T** vuln*r**ility st*ms *rom XML p*rsin* in `*SS*ont*ntP*rs*r` *llowin* *xt*rn*l *ntiti*s. T*ou** t** *l*ss is int*n*** *or t*st purpos*s, its misus* wit* us*r-*ontroll** **t* m*** it vuln*r**l*. T** p*t** *xpli*itly *is**l** *xt*rn*l *ntiti*s (`LI*X

4.8

Basic Information

Concerned about an active attack path?

CVE-2020-25817: SilverStripe XXE Vulnerability in CSSContentParser

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-25817:
SilverStripe XXE Vulnerability in CSSContentParser

Vulnerability Intelligence
Miggo AI