PatchSiren cyber security CVE debrief
CVE-2017-5197 Silverstripe CVE debrief
CVE-2017-5197 is a cross-site scripting issue in SilverStripe CMS affecting page-name handling. The vulnerability is described as reachable over the network and requiring user interaction, with an attacker able to influence a page name so that script executes in a victim’s browser context. The published advisory says the issue is fixed in SilverStripe CMS 3.4.4 and 3.5.2, and gives a malformed SVG/event-handler example of the injection style. The CVSS 6.1 score is consistent with browser-based impact rather than full system compromise.
- Vendor
- Silverstripe
- Product
- CVE-2017-5197
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-06
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-06
- Advisory updated
- 2026-05-13
Who should care
SilverStripe CMS operators, developers, and security teams should care if they run versions earlier than 3.4.4 or 3.5.x earlier than 3.5.2, especially where page names can be created or edited by less-trusted users or reflected back into the UI.
Technical summary
The NVD record classifies this as CWE-79 (XSS) with CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. In practical terms, a remotely reachable page-name input can be used to inject script that executes in the browser of a user who views the affected content. The description names a crafted JavaScript event handler inside a malformed SVG element as an example of the payload shape, but the key defensive point is that user-controlled page names were not safely handled before the fixed releases.
Defensive priority
Medium priority. It is network-reachable, needs no privileges, and can affect users who view crafted content, so remediation should be scheduled promptly for any affected SilverStripe CMS deployment.
Recommended defensive actions
- Upgrade SilverStripe CMS to 3.4.4 or later, or 3.5.2 or later, on all affected instances.
- Inventory deployed SilverStripe CMS versions and confirm none are earlier than the fixed releases.
- Review page-name validation and output encoding paths to ensure user-controlled names are safely handled in the UI.
- Audit any workflows that let untrusted or semi-trusted users create or edit page names.
- Treat any browser-side script execution risk as a session and data exposure issue, even though availability impact is not listed in the CVSS vector.
Evidence notes
Primary evidence comes from the supplied NVD/CVE record published 2017-03-06 and last modified 2026-05-13. The record lists SilverStripe CMS as affected, with narrative vulnerability coverage stating versions before 3.4.4 and 3.5.x before 3.5.2. The NVD entry also classifies the weakness as CWE-79 and provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The source corpus includes a vendor-advisory reference to SilverStripe security releases and a third-party SecurityFocus entry, but the debrief avoids relying on any details not present in the supplied text.
Official resources
-
CVE-2017-5197 CVE record
CVE.org
-
CVE-2017-5197 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed on 2017-03-06 at the CVE/NVD publication time. The NVD record was last modified on 2026-05-13. The supplied description states the issue is fixed in SilverStripe CMS 3.4.4 and 3.5.2.