Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2022-37421 Stored XSS in custom meta tags

Low (?)
Versions Affected:
silverstripe/cms: ^4.0.0, ^3.0.0
Versions Fixed:
silverstripe/cms: 4.11.3
Release Date:

A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut.
This requires CMS access to exploit.

Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

Regression testing should focus on pages with pre-existing custom meta tags, if any are present.

Base CVSS: 3.7

Reported by: TF1T via