CVE-2020-25817: SilverStripe XXE Vulnerability in CSSContentParser
4.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56709%
CWE
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
silverstripe/framework | composer | >= 4.0.0, < 4.7.4 | 4.7.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from XML parsing in CSSContentParser
allowing external entities. Though the class is intended for test purposes, its misuse with user-controlled data made it vulnerable. The patch explicitly disabled external entities (LIBXML_NOENT
), confirming the root cause was insecure XML parsing configuration in this component. The primary vulnerable function
would be the HTML/XML
parsing logic within CSSContentParser
initialization.