CVE-2022-37430 Stored XSS using uppercase characters in HTMLEditor
- Medium (?)
- Versions Affected:
- silverstripe/framework: ^3.0.0, ^4.0.0
- Versions Fixed:
- silverstripe/framework: 4.11.13
- Release Date:
href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the
An attacker must have access to the CMS to exploit this issue.
Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.
Regression testing should focus on link creations within HTML editor fields.
Base CVSS: 4.6
Reported by: Steve Boyd from Silverstripe Ltd