CVE-2022-25238
published 2022-06-28CVE-2022-25238: Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.64%
46.1th percentile
Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | framework | <= 4.10.0 | — |
| silverstripe | framework | >= 4.0.0 < 4.10.9 | 4.10.9 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Stored XSS via HTML fields in SilverStripe Framework
osv·2022-06-29
CVE-2022-25238 [MEDIUM] Stored XSS via HTML fields in SilverStripe Framework
Stored XSS via HTML fields in SilverStripe Framework
SilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
GHSA
Stored XSS via HTML fields in SilverStripe Framework
ghsa·2022-06-29
CVE-2022-25238 [MEDIUM] CWE-79 Stored XSS via HTML fields in SilverStripe Framework
Stored XSS via HTML fields in SilverStripe Framework
SilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.silverstripe.org/en/4/changelogs/4.10.1/https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://docs.silverstripe.org/en/4/changelogs/4.10.1/https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/
2022-06-28
Published