CVE-2022-25238
Description
Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe Framework through 4.10.0 allows authenticated CMS users to inject XSS via script tags added through XHR when cwp-core is missing or sanitise_server_side is disabled.
Vulnerability
Details
CVE-2022-25238 is a stored cross-site scripting (XSS) vulnerability in Silverstripe Framework versions up to and including 4.10.0. The root cause is insufficient server-side sanitization of script tags that can be added to website content via XMLHttpRequest (XHR). The vulnerability is exploitable only when the cwp-core module is not installed or the sanitise_server_side configuration option is not set to true in the project code [2][3].
Exploitation
An authenticated CMS user can craft a malicious XHR request to inject arbitrary script tags into website content. No special privileges beyond standard CMS access are required, but the attacker must be authenticated. The attack bypasses server-side sanitization due to the missing or disabled protection mechanisms [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, data theft, defacement, or other client-side attacks [2][3].
Mitigation
Silverstripe has addressed this vulnerability in later releases. Users should upgrade to a patched version of silverstripe/framework. As a workaround, ensure the cwp-core module is installed and that sanitise_server_side is set to true in the project configuration [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.10.9 | 4.10.9 |
Affected products
2- Silverstripe/frameworkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-jx34-gqqq-r6gmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25238ghsaADVISORY
- docs.silverstripe.org/en/4/changelogs/4.10.1ghsaWEB
- docs.silverstripe.org/en/4/changelogs/4.10.1/mitrex_refsource_MISC
- forum.silverstripe.org/c/releasesghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-25238.yamlghsaWEB
- www.silverstripe.org/blog/tag/releaseghsax_refsource_MISCWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/mitrex_refsource_MISC
- www.silverstripe.org/download/security-releases/cve-2022-25238ghsaWEB
News mentions
0No linked articles in our index yet.