CVE-2022-25238 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=4.0.0 <4.10.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00338 pctl0.55957

Details

Stored XSS via HTML fields in SilverStripe Framework SilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.

Metadata

Created: 2022-06-29T22:14:03Z
Modified: 2022-07-11T19:25:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-jx34-gqqq-r6gm/GHSA-jx34-gqqq-r6gm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jx34-gqqq-r6gm
Finding: F425
Auto approve: 1