Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2022-38146 URL XSS vulnerability due to outdated jquery in CMS

Severity:
Medium (?)
Identifier:
CVE-2022-38146
Versions Affected:
silverstripe/admin: ^1.0.0
Versions Fixed:
silverstripe/admin: ^1.11.3
Release Date:
2022-11-21

The Silverstripe CMS UI uses jQuery 1.7.2. This version of jQuery is affected by CVE-2019-11358 Object.prototype pollution. An attacker could perform an XSS attack by convincing a user to follow a link with a specially crafted __proto__ query string parameter.

silverstripe/admin 1.11.3 addresses this problem by stopping all JavaScript execution if a __proto__ query string is present in the URL. This fix is just a stopped gap measure.

This issue will be properly remediated by upgrading to jQuery 3.6.1 or later in the Silverstripe CMS 4.12.0 release.

Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

Regression testing should focus on custom CMS UI functionality that might be implemented in your project.

If you use the jQuery version distributed with Silverstripe CMS in the front end of your site, you may be affected by this vulnerability via the front end. If this applies to youp project, you should upgrade your theme to use a more recent jQuery version.

Base CVSS: 5.4

Reported by: Trong Pham via huntr.dev