CVE-2022-38724
Silverstripe XSS in shortcodes
5.4
MEDIUM
CVSS 3.1
EPSS 0.46%
Description
A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.
How to fix CVE-2022-38724
To remediate CVE-2022-38724, upgrade the affected package to a fixed version below.
- —upgrade to 1.11.1 or later
- —upgrade to 4.11.13 or later
Is CVE-2022-38724 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.0.0, < 1.11.1
- >= 4.0.0, < 4.11.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |