Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2022-38147 XSS via uploaded gpx file

Medium (?)
Versions Affected:
silverstripe/assets: ^1.0.0
Versions Fixed:
silverstripe/assets: 1.11.1
Release Date:

A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data.

By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.

Most projects should be able to apply the patch without further work. While there can be a legitimate use case for using GPX files, it's an uncommon one. You can re-enable support for GPX files if you have a need for them, but beware there's an inherent risk in allowing content authors to upload this kind of file.

Regression testing should focus on identifying if your site makes use of any GPX files. You can validate if you have any pre-existing GPX file on your Silverstripe CMS site by accessing the Files area and searching for "GPX". You'll want to delete any GPX file prior to applying the patch.

Base CVSS: 4.6

Reported by: nhienit via