GMS-2022-6854: XSS via uploaded gpx file

November 21, 2022

A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data.

By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2022-38147.yaml
github.com/advisories/GHSA-vv3r-fxqp-vr3f
www.silverstripe.org/download/security-releases/cve-2022-38147

Detect and mitigate GMS-2022-6854 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →