CVE-2022-28803

Vulnerability

Overview CVE-2022-28803 is a stored cross-site scripting (XSS) vulnerability in the SilverStripe Framework, affecting versions up to the 2022-04-07 release. The flaw resides in how the framework handles JavaScript link tags added via XMLHttpRequest (XHR). When attacker-controlled content is inserted into a page through an XHR request, the framework fails to properly sanitize or escape the href attribute of `` tags, allowing arbitrary JavaScript execution upon page load [1][2].

Attack

Vector and Prerequisites Exploitation requires the ability to inject malicious content into a SilverStripe application, typically through a user-controllable input that is later rendered as part of a page. The attacker must be able to supply a crafted href value in a `` tag that is included via XHR. No authentication is strictly required if the application allows anonymous submissions; however, the attack surface depends on the application's specific features. The XHR endpoint itself does not need to be vulnerable, but the stored content that is later retrieved and rendered must be untrusted [2].

Impact

A successful attack allows an attacker to execute arbitrary JavaScript in the context of any user who views the affected page. This can lead to session hijacking, credential theft, defacement, or other client-side attacks. The vulnerability is classified as stored XSS, meaning the malicious payload persists across sessions and can affect multiple users [1][2].

Mitigation

Status As of the publication date (2022-06-29), no patch had been released for the affected versions. Users are advised to upgrade to the latest patched version of SilverStripe Framework once available, or to apply input sanitization and output encoding to all data that is rendered via XHR responses. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.