GoogleOSV:GHSA-66JF-XM2M-7M8RStored XSS in Compare Mode
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
36.6%
A malicious content author could add a Javascript payload to a page’s meta description and get it executed in the versioned history compare view.
This vulnerability requires access to the CMS to be deployed. The attacker must then convince a privileged user to access the version history for that page.
References
forum.silverstripe.org/c/releases
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/versioned-admin/CVE-2022-38145.yaml
nvd.nist.gov/vuln/detail/CVE-2022-38145
www.silverstripe.org/blog/tag/release
www.silverstripe.org/download/security-releases
www.silverstripe.org/download/security-releases/cve-2022-38145
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
36.6%