CVE-2022-37430 Stored XSS using uppercase characters in HTMLEditor

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2022-37430
Versions Affected:: silverstripe/framework: ^3.0.0, ^4.0.0
Versions Fixed:: silverstripe/framework: 4.11.13
Release Date:: 2022-11-21

A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute.
An attacker must have access to the CMS to exploit this issue.

Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

Regression testing should focus on link creations within HTML editor fields.

Base CVSS: 4.6

Reported by: Steve Boyd from Silverstripe Ltd