silverstripe/framework is vulnerable to cross-site scripting(XSS) attacks. The library does not properly sanitize user inputs through links
and iframes
, allowing a remote authenticated attacker to inject and execute malicious javascript via XMLHttpRequest
(XHR).
github.com/advisories/GHSA-rppc-655v-7j3c
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-28803.yaml
github.com/silverstripe/silverstripe-framework/commit/d2c58f3bbc03846c460acddd38203387cd06416c
github.com/silverstripe/silverstripe-framework/pull/10374
silverstripe.org
www.silverstripe.org/download/security-releases/cve-2022-28803