PT-2022-24240 · Silverstripe · Silverstripe/Framework

Tf1T

Published

2022-11-21

Updated

2022-11-22

CVE-2022-38148

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Silverstripe silverstripe/framework versions through 4.11

Description The issue allows SQL Injection, which can be exploited by an attacker with CMS access to execute arbitrary SQL statements. This is achieved by adding an SQL payload in certain parts of the GridField state. The vast majority of Gridfields in Silverstripe CMS are affected.

Recommendations For versions through 4.11, consider restricting access to the GridField state to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2022-38148

GHSA-RR8H-F97Q-8P9C

Affected Products

Silverstripe/Framework

PT-2022-24240 · Silverstripe · Silverstripe/Framework

CVE-2022-38148

Weakness Enumeration

Related Identifiers

Affected Products

References · 9