GMS-2022-6857: Stored XSS using uppercase characters in HTMLEditor

November 21, 2022

A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn’t account for the casing of the href attribute. An attacker must have access to the CMS to exploit this issue.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-37430.yaml
github.com/advisories/GHSA-qw4w-vq8v-2wcv
www.silverstripe.org/download/security-releases/cve-2022-37430

Detect and mitigate GMS-2022-6857 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →