CVE-2022-38462 - XSS in Silverstripe Framework—How It Works and How It’s Exploited

In August 2022, security researchers discovered a critical vulnerability in the Silverstripe Framework—one of the most popular PHP-based website platforms. This bug, identified as CVE-2022-38462, allows attackers to execute Cross-Site Scripting (XSS) within Silverstripe-powered sites by crafting a simple malicious URL. In this post, we’ll break down what went wrong, demonstrate how the attack works, and give advice on securing your Silverstripe website.

What Is CVE-2022-38462?

CVE-2022-38462 is an XSS (Cross-Site Scripting) vulnerability found in the silverstripe/framework package, affecting all versions up to and including 4.11.. By manipulating the returnURL query parameter—used in endpoints like /dev/build and /Security/login—an attacker can inject malicious scripts that run in a victim's browser.

The Vulnerability Explained

The Silverstripe framework uses parameters like returnURL on authentication and admin endpoints for redirection. For example, when a user logs in at /Security/login, they may be redirected back to their original destination. However, Silverstripe did not properly sanitize or escape the returnURL value before embedding it in HTML.

Here’s what this looked like in the login form source code

// In /Security/LoginForm.php or similar controller
$fields->addFieldToTab('Root.Main', new HiddenField('BackURL', 'BackURL',
    $this->controller->getRequest()->requestVar('BackURL')
));

If BackURL (often aliased as returnURL) contains JavaScript, it can be injected into the HTML as-is.

Example Attack: Crafting a Malicious URL

Suppose a Silverstripe site has a login page at /Security/login. An attacker wants to insert JavaScript code. They can send the victim to a specially crafted URL like:

https://example.com/Security/login?BackURL=javascript:alert('XSS')

When the login page loads, the unsanitized value is embedded in the form. If a user logs in—or even just loads the page—the script is executed.

Some Silverstripe versions used this value in a user-visible message or as part of a link

<!-- Rendered HTML snippet -->
<a href="javascript:alert('Hacked via CVE-2022-38462')">Click here</a>

If a victim clicks the link, the attacker's JavaScript runs in the context of the website.

Sample Exploit: Proof of Concept

Here is a minimal code snippet you can use to *test* (not attack!) a vulnerable Silverstripe installation:

import requests

target = "https://victim-site.com/Security/login";
payload = 'BackURL=javascript:alert("CVE-2022-38462-exploit")'
url = f"{target}?{payload}"

print(f"Test this URL in your browser: {url}")
response = requests.get(url)
print(response.text[:500])  # First 500 chars of response; look for injected JS

Warning: Only test this on systems you own or have permission to audit!

How to Fix (Upgrade or Patch)

Silverstripe maintainers patched this bug properly sanitizing the return URL. The best fix: Upgrade the silverstripe/framework package to version 4.11.1 or newer.

Manual Patch for Reference:
Validate the returnURL and only allow relative paths, not JavaScript URLs.

// Simple (not production-safe) fix
$returnURL = filter_var($_REQUEST['BackURL'], FILTER_VALIDATE_URL);
if (strpos($returnURL, 'javascript:') === ) {
    $returnURL = '/';
}

But really, do this:
- Run composer update silverstripe/framework

Original References

- Silverstripe Security Advisory (GHSA-p6ph-rh7h-wvv7)
- NVD CVE-2022-38462
- Silverstripe Patch Commit

Conclusion

CVE-2022-38462 shows how a single unsanitized input can compromise a whole website. XSS attacks are easy to launch, stealthy, and can have wide-ranging consequences if admins or regular users are tricked into clicking a crafted link. If you run a Silverstripe site, update as soon as possible—and always validate and escape URLs in your code.

Timeline

Published on: 11/22/2022 13:15:00 UTC
Last modified on: 11/23/2022 17:59:00 UTC