CVE-2022-38724

Name of the Vulnerable Software and Affected Versions Silverstripe silverstripe/framework versions 4.11.0 and earlier Silverstripe silverstripe/assets versions 1.11.0 and earlier Silverstripe silverstripe/asset-admin versions 1.11.0 and earlier

Description The issue allows for cross-site scripting (XSS) attacks. A malicious content author could add arbitrary attributes to HTML editor shortcodes, potentially injecting a JavaScript payload on the site's front end. The shortcode providers that ship with Silverstripe CMS have been reviewed, and attribute whitelists have been implemented where necessary to mitigate this risk.

Recommendations For silverstripe/framework versions 4.11.0 and earlier, update to a version that includes the attribute whitelists for shortcode providers. For silverstripe/assets versions 1.11.0 and earlier, update to a version that includes the attribute whitelists for shortcode providers. For silverstripe/asset-admin versions 1.11.0 and earlier, update to a version that includes the attribute whitelists for shortcode providers. As a temporary workaround, consider restricting the ability to add arbitrary attributes to HTML editor shortcodes until a patch is available.