Silverstripe is vulnerable to cross-site scripting.The vulnerability exists in $allowed_extensions
array of File.php
because of uploading .gpx files which allows an attacker to inject and execute malicious javaScript.
forum.silverstripe.org/c/releases
github.com/advisories/GHSA-vv3r-fxqp-vr3f
github.com/silverstripe/silverstripe-assets/commit/d132e9f7a104748efd2ca02a100455bf941d20c1
github.com/silverstripe/silverstripe-assets/pull/529
github.com/silverstripe/silverstripe-framework/blob/f44d5b311e57a50d32a2208f93b207011359df02/filesystem/File.php#L114
www.silverstripe.org/blog/tag/release
www.silverstripe.org/download/security-releases/
www.silverstripe.org/download/security-releases/CVE-2022-38147