CVE-2022-28803

Name of the Vulnerable Software and Affected Versions SilverStripe Framework versions prior to 4.10.9 SilverStripe Framework through 2022-04-07

Description The issue allows for Stored XSS to occur in javascript link tags added via XMLHttpRequest (XHR). This can happen when an authenticated CMS user adds malicious content to a website via XHR, specifically inside the href attribute of an HTML hyperlink.

Recommendations For SilverStripe Framework versions prior to 4.10.9, update to version 4.10.9 or later to resolve the issue. For SilverStripe Framework through 2022-04-07, ensure that all updates up to 2022-04-07 are applied to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the XHR functionality for authenticated CMS users until a patch is available.