CVE-2022-37421 Stored XSS in custom meta tags
- Severity:
- Low (?)
- Identifier:
- CVE-2022-37421
- Versions Affected:
- silverstripe/cms: ^4.0.0, ^3.0.0
- Versions Fixed:
- silverstripe/cms: 4.11.3
- Release Date:
- 2022-11-21
A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut.
This requires CMS access to exploit.
Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.
Regression testing should focus on pages with pre-existing custom meta tags, if any are present.
Base CVSS: 3.7
Reported by: TF1T via huntr.dev