CVE-2022-28803 — Cross-site Scripting in Silverstripe

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 64.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedJun 29

Latest updateNov 21

Description

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR).

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

▶Packagistsilverstripe/framework4.0.0 — 4.11.13+1

GHSA

Stored XSS using uppercase characters in HTMLEditor↗2022-11-21

▶

OSV

Stored XSS using uppercase characters in HTMLEditor↗2022-11-21

▶

OSV

Stored XSS in link tags added via XHR in SilverStripe Framework↗2022-06-29

▶

GHSA

Stored XSS in link tags added via XHR in SilverStripe Framework↗2022-06-29

▶