How severe is CVE-2020-25817?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.8 out of 10.

What type of vulnerability is CVE-2020-25817?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2020-25817 - MEDIUM Severity | CVSS 4.8

Vulnerability Description

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).

Related Vulnerabilities

CVE-2022-0239

MEDIUM

CVSS:4.7(Medium)

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

CWE-6112022

CVE-2022-45194

MEDIUM

CVSS:4.7(Medium)

CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure.

CWE-6112022

CVE-2016-9491

MEDIUM

CVSS:4.9(Medium)

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem an...

CWE-6112016

CVE-2018-10077

MEDIUM

CVSS:4.9(Medium)

XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.

CWE-6112018

CVE-2018-11719

MEDIUM

CVSS:4.9(Medium)

Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE.

CWE-6112018

CVE-2019-0265

MEDIUM

CVSS:4.9(Medium)

SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, ...

CWE-6112019