CVE-2025-25197
Description
Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field. This vulnerability is fixed in 5.3.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe Elemental's 'Content blocks in use' report fails to sanitize input, allowing stored XSS via crafted elemental block content.
The vulnerability resides in the 'Content blocks in use' report of Silverstripe Elemental, which extends page types with a block-based content area. The report fails to properly cast user-supplied input before including it in a GridField, leading to a reflected/stored XSS condition [1][2].
An attacker with the ability to create or edit elemental blocks can inject malicious JavaScript into block titles, HTML content, or associated page titles. When a user with administrative privileges views the 'Content blocks in use' report, the payload executes in the browser context of that user [3]. The attack requires authenticated access but does not necessitate special privileges beyond the ability to manage elemental content.
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, data exfiltration, or administrative actions on behalf of the victim. The XSS is stored within the content blocks, making it persistent across sessions until cleaned [2].
The fix is implemented in version 5.3.12 of the silverstripe-elemental module. The commit 34ff4ed introduces proper HTML escaping for all fields displayed in the report [3]. Administrators are advised to upgrade immediately. No workarounds are documented, though restricting access to the report for untrusted users may reduce risk [4].
- [CVE-2025-25197] Prevent XSS in content blocks in use report by emteknetnz · Pull Request #1345 · silverstripe/silverstripe-elemental
- NVD - CVE-2025-25197
- [CVE-2025-25197] Prevent XSS in content blocks in use report (#1345) · silverstripe/silverstripe-elemental@34ff4ed
- security-advisories/dnadesign/silverstripe-elemental/CVE-2025-25197.yaml at master · FriendsOfPHP/security-advisories
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dnadesign/silverstripe-elementalPackagist | >= 2.1.2, < 5.3.12 | 5.3.12 |
Affected products
3- Range: <5.3.12
Patches
134ff4ed498cc[CVE-2025-25197] Prevent XSS in content blocks in use report (#1345)
2 files changed · +53 −4
src/Reports/ElementsInUseReport.php+3 −4 modified@@ -11,6 +11,7 @@ use SilverStripe\Reports\Report; use SilverStripe\View\ArrayData; use SilverStripe\View\Requirements; +use SilverStripe\Core\Convert; class ElementsInUseReport extends Report { @@ -50,8 +51,6 @@ public function columns() 'Title' => [ 'title' => _t(__CLASS__ . '.Title', 'Title'), 'formatting' => function ($value, BaseElement $item) { - $value = $item->Title; - if (!empty($value)) { if ($link = $item->CMSEditLink()) { return $this->getEditLink($value, $link); @@ -66,7 +65,7 @@ public function columns() 'casting' => 'HTMLText->RAW', 'formatting' => function ($value, BaseElement $item) { try { - return $item->getSummary(); + return Convert::raw2xml($item->getSummary()); } catch (InvalidArgumentException $exception) { // Don't break the report, just continue. Image manipulation is an example which may // throw exceptions here. @@ -92,7 +91,7 @@ public function columns() return $this->getEditLink($value, $link); } } - return $item->getPageTitle(); + return Convert::raw2xml($item->getPageTitle()); }, ], ];
tests/Reports/ElementsInUseReportTest.php+50 −0 modified@@ -4,13 +4,16 @@ use DNADesign\Elemental\Extensions\ElementalPageExtension; use DNADesign\Elemental\Models\BaseElement; +use DNADesign\Elemental\Models\ElementalArea; use DNADesign\Elemental\Models\ElementContent; use DNADesign\Elemental\Reports\ElementsInUseReport; use DNADesign\Elemental\Tests\Src\TestElement; use DNADesign\Elemental\Tests\Src\TestPage; +use SilverStripe\CMS\Model\SiteTree; use SilverStripe\Dev\FunctionalTest; use SilverStripe\GraphQL\Tests\Schema\NaiveSchemaBuilder; use SilverStripe\ORM\DataList; +use SilverStripe\Forms\GridField\GridField; class ElementsInUseReportTest extends FunctionalTest { @@ -108,4 +111,51 @@ public function testSourceRecordsFilteredByClassName() 'Only contains filtered element type' ); } + + public function provideXssEscaped(): array + { + return [ + 'xss' => [ + 'pageTitle' => "<script>alert('xss-page-title');</script>", + 'elementTitle' => "<script>alert('xss-element-title');</script>", + 'elementHtml' => "<script>alert('xss-element-html');</script>", + 'expectTitle' => '<script>alert('xss-element-title');</script>', + 'expectSummary' => 'alert('xss-element-html');', + 'expectPageTitle' => '<script>alert('xss-page-title');</script>', + ], + 'xss-escaped' => [ + 'pageTitle' => "<script>alert('xss-page-title');</script>", + 'elementTitle' => "<script>alert('xss-element-title');</script>", + 'elementHtml' => "<script>alert('xss-element-html');</script>", + 'expectTitle' => '&lt;script&gt;alert('xss-element-title');&lt;/script&gt;', + 'expectSummary' => 'alert('xss-element-html');', + 'expectPageTitle' => '&lt;script&gt;alert('xss-page-title');&lt;/script&gt;', + ], + ]; + } + + /** + * @dataProvider provideXssEscaped + */ + public function testXssEscaped( + string $pageTitle, + string $elementTitle, + string $elementHtml, + string $expectTitle, + string $expectSummary, + string $expectPageTitle + ): void { + $area = new ElementalArea(); + $areaID = $area->write(); + (new TestPage(['Title' => $pageTitle, 'ElementalAreaID' => $areaID]))->write(); + $element = new ElementContent(['Title' => $elementTitle, 'HTML' => $elementHtml, 'ParentID' => $areaID]); + $elementID = $element->write(); + $element = ElementContent::get()->byID($elementID); + $report = new ElementsInUseReport(); + /** @var GridField $gridField */ + $gridField = $report->getReportField(); + $this->assertStringContainsString($expectTitle, $gridField->getColumnContent($element, 'Title')); + $this->assertStringContainsString($expectSummary, $gridField->getColumnContent($element, 'ElementSummary')); + $this->assertStringContainsString($expectPageTitle, $gridField->getColumnContent($element, 'Page.Title')); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-x8xm-c7p8-2pj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25197ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/dnadesign/silverstripe-elemental/CVE-2025-25197.yamlghsaWEB
- github.com/silverstripe/silverstripe-elemental/commit/34ff4ed498ccab94cc5f55ef9a56c37f491eda1dnvdWEB
- github.com/silverstripe/silverstripe-elemental/pull/1345ghsaWEB
- github.com/silverstripe/silverstripe-elemental/security/advisories/GHSA-x8xm-c7p8-2pj2nvdWEB
- www.silverstripe.org/download/security-releases/cve-2025-25197ghsaWEB
- www.silverstripe.org/download/security-releases/CVE-2025-25197nvd
News mentions
0No linked articles in our index yet.