Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2022-25238 - Stored XSS via HTML fields

CVE-2022-25238 - Stored XSS via HTML fields

Severity:
Medium (?)
Identifier:
CVE-2022-25238
Versions Affected:
silverstripe/framework: <=4.10.8
Versions Fixed:
silverstripe/framework: 4.10.9
Release Date:
2022-06-28

XSS inside of script tags can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.

Base CVSS: 5.4

Reported by: Greg Best from Aura Information Security