GHSA-66jf-xm2m-7m8r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-66jf-xm2m-7m8r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-66jf-xm2m-7m8r/GHSA-66jf-xm2m-7m8r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-66jf-xm2m-7m8r
- Aliases
-
- CVE-2022-38145
- Published
- 2022-11-22T00:00:16Z
- Modified
- 2024-02-20T05:32:32.773895Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Stored XSS in Compare Mode
- Details
-
A malicious content author could add a Javascript payload to a page's meta description and get it executed in the versioned history compare view.
This vulnerability requires access to the CMS to be deployed. The attacker must then convince a privileged user to access the version history for that page.
- Database specific
{ "github_reviewed_at": "2022-11-22T00:00:16Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2022-11-23T02:15:00Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-38145
- https://forum.silverstripe.org/c/releases
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/versioned-admin/CVE-2022-38145.yaml
- https://www.silverstripe.org/blog/tag/release
- https://www.silverstripe.org/download/security-releases
- https://www.silverstripe.org/download/security-releases/cve-2022-38145
Affected packages
Packagist / silverstripe/versioned-admin
Package
- Name
- silverstripe/versioned-admin
- Purl
- pkg:composer/silverstripe/versioned-admin
Affected versions
1.*
1.0.0
1.1.0-rc1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0-rc1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0-alpha1
1.3.0-rc1
1.3.0-rc2
1.3.0
1.3.1
1.6.0-beta1
1.6.0-rc1
1.6.0
1.6.1
1.7.0-beta1
1.7.0-rc1
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0-beta1
1.8.0-beta2
1.8.0-rc1
1.8.0
1.8.1
1.9.0-alpha1
1.9.0-beta1
1.9.0-rc1
1.9.0
1.9.1
1.10.0-beta1
1.10.0-rc1
1.10.0
1.10.1
1.11.0-beta1
1.11.0-rc1
1.11.0