CVE-2022-37430
published 2022-11-23CVE-2022-37430: Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.52%
40.0th percentile
Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | framework | >= 3.0.0 < 4.11.13 | 4.11.13 |
| silverstripe | framework | >= 4.0.0 < 4.11.13 | 4.11.13 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
ghsa5.4MEDIUM
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Stored XSS using uppercase characters in HTMLEditor
ghsa·2022-11-21·CVSS 5.4
CVE-2022-37430 [MEDIUM] CWE-79 Stored XSS using uppercase characters in HTMLEditor
Stored XSS using uppercase characters in HTMLEditor
A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute. An attacker must have access to the CMS to exploit this issue.
OSV
Stored XSS using uppercase characters in HTMLEditor
osv·2022-11-21·CVSS 5.4
CVE-2022-37430 [MEDIUM] Stored XSS using uppercase characters in HTMLEditor
Stored XSS using uppercase characters in HTMLEditor
A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute. An attacker must have access to the CMS to exploit this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://www.silverstripe.org/download/security-releases/CVE-2022-37430https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://www.silverstripe.org/download/security-releases/CVE-2022-37430
2022-11-23
Published