CVE-2019-14272
Description
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SilverStripe asset-admin 4.0 is vulnerable to stored XSS via crafted file titles managed through the CMS.
Vulnerability
Details
CVE-2019-14272 describes a stored cross-site scripting (XSS) issue in SilverStripe asset-admin 4.0. The vulnerability stems from insufficient sanitization of file titles entered through the CMS interface. When a user creates or edits a file record, the title field is not properly escaped before being rendered, allowing an attacker to inject arbitrary HTML or JavaScript code [2][4].
Exploitation and
Attack Vector
Exploitation requires authenticated CMS access, typically limited to users who have permission to manage files. An attacker with such access can save a malicious file title containing script payloads. When other users (including administrators) view the file list or any area where the title is displayed, the injected script executes in their browser. No interaction beyond normal page visits is needed after the malicious title is stored [2][4].
Impact
Successful exploitation leads to XSS attacks within the SilverStripe admin interface. This can result in session theft, forced actions on behalf of the victim, defacement, or exfiltration of sensitive information displayed in the CMS. Because the attack originates from a trusted domain, conventional XSS filters may not prevent it [2].
Mitigation
Users should upgrade to a patched version of the SilverStripe framework. The security advisory from FriendsOfPHP indicates a fix is available, and the vendor's release channel lists subsequent versions that address this issue [1][4]. No known exploitation in the wild has been reported as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.3.5 | 4.3.5 |
silverstripe/frameworkPackagist | >= 4.4.0, < 4.4.4 | 4.4.4 |
Affected products
2- SilverStripe/asset-admindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-jgw2-f5mx-rg7hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-14272ghsaADVISORY
- forum.silverstripe.org/c/releasesghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-14272.yamlghsaWEB
- www.silverstripe.org/blog/tag/releaseghsax_refsource_MISCWEB
- www.silverstripe.org/download/security-releases/mitrex_refsource_MISC
- www.silverstripe.org/download/security-releases/CVE-2019-14272ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.