Cross-site Scripting vulnerability with encoded payload in silverstripe/framework
Description
Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe Framework 5.2.15 and earlier allow stored XSS via crafted encoded payloads that bypass server-side sanitization.
Vulnerability
Overview
CVE-2024-32981 is a stored cross-site scripting (XSS) vulnerability in the Silverstripe Framework, the PHP backend of Silverstripe CMS. An attacker with CMS content editing privileges can inject malicious JavaScript by submitting a specially crafted, encoded payload. The payload is sanitized client-side but bypasses server-side sanitization, allowing the payload to be stored and executed on the front-end site. The root cause is insufficient filtering of data:text/html URIs in HTML attributes such as data on `` elements [1][2].
Attack
Vector and Exploitation
Exploitation requires an account with CMS edit access. The attacker crafts a payload using data:text/html;base64,... encoding (or similar variants) within a data attribute of an HTML element, e.g., `. The server-side sanitizer previously only blocked javascript: URIs but did not detect data:text/html;` or obfuscated versions using line breaks or different casing. When the stored content is rendered, the payload executes in the context of the victim's browser [2].
Impact
A successful attack results in persistent XSS (stored XSS). The attacker can execute arbitrary JavaScript in the browsers of users visiting the affected page. This can lead to session hijacking, defacement, credential theft, or other client-side attacks. The impact is elevated as the attacker only needs CMS author-level access, not administrator [1].
Mitigation
The vulnerability is fixed in Silverstripe Framework version 5.2.16. The fix updates the regular expression to also block data:text/html; URIs, including variants with line breaks or mixed case. No workarounds are available. Users must upgrade to 5.2.16 or later [1][2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | < 5.2.16 | 5.2.16 |
Affected products
2- silverstripe/silverstripe-frameworkv5Range: < 5.2.16
Patches
1b8d20dc9d531[CVE-2024-32981] Disallow `data:text/html` in data attributes
2 files changed · +26 −2
src/Forms/HTMLEditor/HTMLEditorSanitiser.php+1 −1 modified@@ -347,7 +347,7 @@ public function sanitise(HTMLValue $html) } // Matches "javascript:" with any arbitrary linebreaks inbetween the characters. - $regex = '/^\s*' . implode('\s*', str_split('javascript:')) . '/i'; + $regex = '#^\s*(' . implode('\s*', str_split('javascript:')) . '|' . implode('\s*', str_split('data:text/html;')) . ')#i'; // Strip out javascript execution in href or src attributes. foreach (['src', 'href', 'data'] as $dangerAttribute) { if ($el->hasAttribute($dangerAttribute)) {
tests/php/Forms/HTMLEditor/HTMLEditorSanitiserTest.php+25 −1 modified@@ -120,7 +120,31 @@ public function testSanitisation() 'object[data]', '<object data=javascript:alert()>', '<object></object>', - 'Object with dangerous content in data attribute is completely removed' + 'Object with dangerous javascript content in data attribute is completely removed' + ], + [ + 'object[data]', + '<object data="javascript:alert()">', + '<object></object>', + 'Object with dangerous javascript content in data attribute with quotes is completely removed' + ], + [ + 'object[data]', + '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">', + '<object></object>', + 'Object with dangerous html content in data attribute is completely removed' + ], + [ + 'object[data]', + '<object data="' . implode("\n", str_split(' DATA:TEXT/HTML;')) . 'base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">', + '<object></object>', + 'Object with split upper-case dangerous html content in data attribute is completely removed' + ], + [ + 'object[data]', + '<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4=">', + '<object data="data:text/xml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5sb2NhdGlvbik8L3NjcmlwdD4="></object>', + 'Object with safe xml content in data attribute is retained' ], [ 'img[src]',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-chx7-9x8h-r5mgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32981ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2024-32981.yamlghsaWEB
- github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1ghsax_refsource_MISCWEB
- github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mgghsax_refsource_CONFIRMWEB
- www.silverstripe.org/download/security-releases/cve-2024-32981ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.