Medium severity6.1NVD Advisory· Published Mar 6, 2017· Updated May 13, 2026

CVE-2017-5197

Description

There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. The attack vector is a page name. An example payload is a crafted JavaScript event handler within a malformed SVG element.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
silverstripe/cmsPackagist	< 3.4.4	3.4.4
silverstripe/cmsPackagist	>= 3.5.0, < 3.5.2	3.5.2

Affected products

Silverstripe/Silverstripe3 versions
cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*range: <=3.4.3
- cpe:2.3:a:silverstripe:silverstripe:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:silverstripe:silverstripe:3.5.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/96572nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-xmjh-wjc5-wg4hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-5197ghsaADVISORY
www.silverstripe.org/download/security-releases/nvdVendor Advisory
web.archive.org/web/20210123234141/http://www.securityfocus.com/bid/96572ghsaWEB
www.silverstripe.org/download/security-releasesghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000