CVE-2022-38145

Name of the Vulnerable Software and Affected Versions Silverstripe silverstripe/framework versions through 4.11

Description The issue allows remote attackers to execute a Javascript payload in the versioned history compare view by adding it to a page's meta description. This can be done by a malicious content author who has access to the CMS. The attacker must then convince a privileged user to access the version history for that page.

Recommendations For versions through 4.11, consider restricting access to the versioned history compare view until a patch is available. As a temporary workaround, limit the ability for content authors to add Javascript payloads to page meta descriptions. Ensure that only trusted users have access to the CMS to minimize the risk of exploitation.