GMS-2022-6856: XSS in shortcodes

November 21, 2022

A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute allow lists have been implemented where appropriate to negate this risk.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2022-38724.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38724.yaml
github.com/advisories/GHSA-9cx2-hj6m-fv58
www.silverstripe.org/download/security-releases/cve-2022-38724

Code Behaviors & Features

Detect and mitigate GMS-2022-6856 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →