CVE-2022-38724 XSS in shortcodes

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2022-38724
Versions Affected:: silverstripe/framework: ^4.0.0, silverstripe/assets: ^1.0.0
Versions Fixed:: silverstripe/framework: ^4.11.13, silverstripe/assets: ^1.11.1
Release Date:: 2022-11-21

A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelists have been implemented where appropriate to negate this risk.

Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour. If your project includes custom shortcode providers, consider reviewing them and implementing a similar whitelist when rendering the shortcodes to HTML.

Regression testing should focus on HTML Editor functionally relying on shortcodes:

image insertion
links to CMS resources
media insertion
custom shortcodes for your project.

Base CVSS: 4.6

Reported by: Steve Boyd from Silverstripe Ltd