CVE-2022-38724
Description
Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe CMS framework, assets, and asset-admin contain a stored XSS vulnerability potentially affecting authenticated users.
Vulnerability
Overview
The Silverstripe CMS components silverstripe/framework through version 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 are affected by a stored cross-site scripting (XSS) vulnerability [2]. The official description confirms that these versions allow XSS, indicating that user-supplied input is not adequately sanitized when stored and later rendered in the administrative interface.
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must have a valid authenticated session in the Silverstripe CMS backend, as the XSS payload is likely injected through administrative forms (e.g., content fields, file metadata, or asset-admin settings). The ability to store the malicious script means the attack can be triggered when other administrators view the infected page or asset, making it a persistent threat that can propagate within the admin panel.
Impact
Assessment
Successful exploitation enables an attacker to execute arbitrary JavaScript within the context of the victim's browser session. This can lead to session hijacking, unauthorized actions performed on behalf of the victim (e.g., privilege escalation, data exfiltration), or defacement of CMS-managed content. The impact is limited to authenticated users, but given the administrative context, the potential for lateral movement or account takeover is significant.
Mitigation
Status
As of the publication date (2022-11-22), the vendor's release notes and security advisory forum [1] should be consulted for patched versions. The FriendsOfPHP security advisories [3][4] provide YAML-based CVE tracking that can assist in verifying the affected package versions. Administrators are advised to upgrade to the latest versions of the Silverstripe framework, assets, and asset-admin modules that include fixes for this XSS issue.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/assetsPackagist | >= 1.0.0, < 1.11.1 | 1.11.1 |
silverstripe/frameworkPackagist | >= 4.0.0, < 4.11.13 | 4.11.13 |
Affected products
3- Silverstripe/silverstripe/frameworkdescription
- ghsa-coords2 versions
>= 1.0.0, < 1.11.1+ 1 more
- (no CPE)range: >= 1.0.0, < 1.11.1
- (no CPE)range: >= 4.0.0, < 4.11.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-9cx2-hj6m-fv58ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38724ghsaADVISORY
- forum.silverstripe.org/c/releasesghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2022-38724.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38724.yamlghsaWEB
- www.silverstripe.org/blog/tag/releaseghsaWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/cve-2022-38724ghsaWEB
- www.silverstripe.org/download/security-releases/mitre
- www.silverstripe.org/download/security-releases/CVE-2022-38724mitre
News mentions
0No linked articles in our index yet.