CVE-2022-25238

Name of the Vulnerable Software and Affected Versions Silverstripe silverstripe/framework versions 4.10.0 through 4.10.8 Silverstripe silverstripe/framework versions prior to 4.10.9 is not mentioned, however since 4.10.8 is the last version mentioned as vulnerable, we can assume that versions prior to the next version are vulnerable, but since the next version is not specified, we will use the last version mentioned as the end of the range.

Description The issue allows XSS inside of script tags that can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed or the sanitise server side config is not set to true in project code.

Recommendations For Silverstripe silverstripe/framework versions 4.10.0 through 4.10.8, consider installing the cwp-core module or setting the sanitise server side config to true in project code to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to XHR requests that can add script tags to website content until a patch is available. Avoid using the sanitise server side config set to false in the affected project code until the issue is resolved.