CVE-2022-38462
Description
Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS by carefully crafting a return URL on a /dev/build or /Security/login request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe Framework through 4.11 is vulnerable to stored XSS via a crafted return URL on /dev/build or /Security/login requests.
Vulnerability
CVE-2022-38462 is a cross-site scripting (XSS) vulnerability in Silverstripe Framework versions up to 4.11. The flaw exists in how the framework handles the return URL parameter on /dev/build and /Security/login endpoints. Insufficient sanitization of user-supplied input allows an attacker to inject arbitrary JavaScript code that gets executed in the browser of a user visiting these pages [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes a specially-designed return parameter. No authentication is required for the /dev/build endpoint, and the /Security/login endpoint may be accessible without login. The attacker would need to trick a user into clicking the crafted link, or the link could be used in a phishing campaign. The injected script runs in the context of the victim's session, potentially allowing access to cookies or other sensitive data [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information visible on the site. The severity is rated as medium (CVSS 3.x score TBD) due to the requirement for user interaction [2].
Mitigation
The Silverstripe team has addressed this vulnerability in version 4.11.1 of the framework. Users are strongly advised to update to this version or later. The FriendsOfPHP security advisory confirms the fix and provides details on affected versions [3]. No workarounds have been publicly documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.11.13 | 4.11.13 |
Affected products
2- Silverstripe/frameworkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-vvxf-r4vm-2vm6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38462ghsaADVISORY
- forum.silverstripe.org/c/releasesghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38462.yamlghsaWEB
- www.silverstripe.org/blog/tag/releaseghsaWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/cve-2022-38462ghsaWEB
- www.silverstripe.org/download/security-releases/mitre
News mentions
0No linked articles in our index yet.