CVE-2022-38724 XSS in shortcodes
- Medium (?)
- Versions Affected:
- silverstripe/framework: ^4.0.0, silverstripe/assets: ^1.0.0
- Versions Fixed:
- silverstripe/framework: ^4.11.13, silverstripe/assets: ^1.11.1
- Release Date:
Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour. If your project includes custom shortcode providers, consider reviewing them and implementing a similar whitelist when rendering the shortcodes to HTML.
Regression testing should focus on HTML Editor functionally relying on shortcodes:
- image insertion
- links to CMS resources
- media insertion
- custom shortcodes for your project.
Base CVSS: 4.6
Reported by: Steve Boyd from Silverstripe Ltd