CVE-2022-38147

Name of the Vulnerable Software and Affected Versions Silverstripe silverstripe/framework versions 4.11 and earlier

Description The issue allows for XSS attacks. A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data.

Recommendations For versions 4.11 and earlier, consider disabling the upload of GPX files to the assets area as a temporary workaround until a patch is available. By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area, so ensuring this default setting is in place can help mitigate the risk.