CVE-2022-37429
Description
Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 2) via JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe framework through 4.11 allows cross-site scripting via whitespace-splitting of javascript: URLs in href attributes, enabling arbitrary script injection.
Vulnerability
CVE-2022-37429 is an XSS vulnerability in Silverstripe silverstripe/framework up to version 4.11. The root cause is inadequate sanitization of the href attribute when it contains a javascript: URL with whitespace characters, allowing the URL scheme to be split and bypassing filters [2][3].
Exploitation
An attacker can craft a malicious link such as click where a space splits the javascript scheme. When a user clicks the link, the browser executes the JavaScript payload. No authentication is required if the link is reflected or stored in a vulnerable context [2].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the victim's browser, potentially resulting in session hijacking, data theft, or further attacks.
Mitigation
Silverstripe has provided patches in subsequent releases. Users are advised to upgrade to a version beyond 4.11. The Silverstripe forum [1] and the FriendsOfPHP security advisory [3] provide details on fixed versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.11.13 | 4.11.13 |
Affected products
2- Silverstripe/silverstripe/frameworkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-wc6r-4ggc-79w5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37429ghsaADVISORY
- forum.silverstripe.org/c/releasesghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-37429.yamlghsaWEB
- www.silverstripe.org/blog/tag/releaseghsaWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/cve-2022-37429ghsaWEB
- www.silverstripe.org/download/security-releases/mitre
- www.silverstripe.org/download/security-releases/CVE-2022-37429mitre
News mentions
0No linked articles in our index yet.