Version 4 supported

4.11.1 Security release

Overview

The primary purposes of this releases is to patch 9 vulnerabilities against Silverstripe CMS core modules:

  • 1 high impact SQL injection vulnerability with a CVSS score of 7.1
  • 7 medium impact cross site scripting (XSS) vulnerabilities with CVSS scores ranging from 4.2 to 5.4
  • 1 low impact XSS vulnerability with a CVSS score of 3.7.

Contents

Included module versions
ModuleVersion
silverstripe/admin1.11.3
silverstripe/asset-admin1.11.2
silverstripe/assets1.11.1
silverstripe/campaign-admin1.11.0
silverstripe/cms4.11.3
silverstripe/config1.4.0
silverstripe/errorpage1.11.0
silverstripe/framework4.11.14
silverstripe/graphql4.0.0
silverstripe/login-forms4.7.0
silverstripe/mimevalidator2.4.0
silverstripe/reports4.11.0
silverstripe/siteconfig4.11.0
silverstripe/versioned1.11.1
silverstripe/versioned-admin1.11.1
Supported module versions
ModuleVersion
bringyourownideas/silverstripe-composer-update-checker3.0.0
bringyourownideas/silverstripe-maintenance2.6.0
cwp/agency-extensions2.7.0
cwp/cwp2.10.1
cwp/cwp-core2.11.0
cwp/cwp-pdfexport1.4.0
cwp/cwp-search1.7.0
cwp/starter-theme3.2.0
cwp/watea-theme3.1.0
dnadesign/silverstripe-elemental4.9.4
dnadesign/silverstripe-elemental-userforms3.2.1
silverstripe/akismet4.3.0
silverstripe/auditor2.5.0
silverstripe/blog3.10.0
silverstripe/ckan-registry1.5.0
silverstripe/comment-notifications2.3.0
silverstripe/comments3.8.0
silverstripe/content-widget2.4.0
silverstripe/contentreview4.5.0
silverstripe/crontask2.5.0
silverstripe/documentconverter2.3.0
silverstripe/elemental-bannerblock2.5.0
silverstripe/elemental-fileblock2.4.0
silverstripe/environmentcheck2.5.0
silverstripe/externallinks2.3.0
silverstripe/fulltextsearch3.11.1
silverstripe/gridfieldqueuedexport2.7.0
silverstripe/html52.4.0
silverstripe/hybridsessions2.5.2
silverstripe/iframe2.3.0
silverstripe/ldap1.4.0
silverstripe/mfa4.6.2
silverstripe/realme4.3.0
silverstripe/registry2.5.0
silverstripe/restfulserver2.5.0
silverstripe/security-extensions4.3.0
silverstripe/securityreport2.5.0
silverstripe/segment-field2.6.0
silverstripe/sharedraftcontent2.7.2
silverstripe/sitewidecontent-report3.3.0
silverstripe/spamprotection3.3.0
silverstripe/spellcheck2.4.0
silverstripe/subsites2.6.0
silverstripe/tagfield2.9.0
silverstripe/taxonomy2.4.0
silverstripe/textextraction3.4.0
silverstripe/totp-authenticator4.4.0
silverstripe/userforms5.13.1
silverstripe/versionfeed2.3.0
silverstripe/webauthn-authenticator4.5.0
silverstripe/widgets2.3.0
symbiote/silverstripe-advancedworkflow5.7.0
symbiote/silverstripe-multivaluefield5.3.0
symbiote/silverstripe-queuedjobs4.10.1
tractorcow/silverstripe-fluent4.7.0

Upgrade considerations

We recommend that all Silverstripe CMS projects upgrade to a patch version as-soon-as-possible. However, given this release patches 9 individual vulnerabilities, it might be advisable to prioritise deploying the one high impact fix first.

If deploying all 9 patches at once is not practical for you, consider deploying the CVE-2022-38148 Blind SQL Injection fix first:

  • CVE-2022-38148 is the most high impact vulnerability.
  • The CVE-2022-38148 patch has been backported to Silverstripe CMS 4.10 as well as 4.11.
  • The CVE-2022-38148 patch has very limited risk of regression for existing projects.

Most of the patches in this release have a limited risk of regression. The vast majority of Silverstripe CMS projects should be able to upgrade with little to no work.

If your project uses custom short code providers, you may wish to pay closer attention to the CVE-2022-38724 patch and consider adding additional validation around any custom shortcode attributes.

If your site hosts GPX files, the CVE-2022-38147 patch could be problematic for you. You may need to manually re-enable this file type or stop using these files altogether.

If you wish to do the smallest update possible to receive all the security patches and not update any other modules, then update to the following dependencies:

  • silverstripe/assets 1.11.1
  • silverstripe/framework 4.11.14
  • silverstripe/admin 1.11.3
  • silverstripe/versioned-admin 1.11.1
  • silverstripe/cms 4.11.3

If you wish to do the smallest update possible to only receive the security patch for CVE-2022-38724 and not update any other modules, then update to the following dependency:

  • silverstripe/framework 4.10.11 or 4.11.14

Security considerations

This release includes security fixes. Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.

We have provided a high-level severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can read the severity rating definitions in the Silverstripe CMS release process.

CVE-2022-38148 Blind SQL Injection in gridfield state from URL

Prior to this release, gridfield state was vulnerable to an SQL injection vulnerability by providing an invalid sort parameter. To exploit this issue an attacker would need access to a CMS user account. All gridfields in the CMS were potentially affected by this vulnerability.

Because of the high impact of this vulnerability, the fix has been backported to silverstripe/framework 4.10.11 as well.

  • Severity: High
  • CVSS: 7.1

Read the full CVE-2022-38148 disclosure

CVE-2022-38146 URL XSS vulnerability due to outdated jQuery in CMS

The Silverstripe CMS UI uses jQuery 1.7.2. This version of jQuery is a affected by CVE-2019-11358 Object.prototype pollution. An attacker could perform an XSS attack by convincing a user to follow a link with a specially crafted url.

silverstripe/admin 1.11.3 addresses this problem by stopping all JavaScript execution if the URL contains a specific payload.

Follow up work to upgrade to jQuery 3.6.1 or later will take place in the Silverstripe CMS 4.12.0 release.

  • Severity: Medium
  • CVSS: 5.4

Read the full CVE-2022-38146 disclosure

CVE-2022-38462 Reflected XSS in backURL get variable

An attacker could perform an XSS attack by inserting an Javascript payload in the backURL query string parameter and convincing a user to follow a link.

  • Severity: Medium
  • CVSS: 4.2

Read the full CVE-2022-38462 disclosure

CVE-2022-38724 XSS in shortcodes

A malicious content author could add arbitrary attributes to HTML editor shortcodes which could be used to inject a JavaScript payload on the front end of the site. The shortcode providers that ship with Silverstripe CMS have been reviewed and attribute whitelist have been implemented where appropriate to negate this risk.

If your project include custom shortcode providers, consider reviewing them and implementing a similar whitelist when rendering the shortcodes to HTML.

  • Severity: Medium
  • CVSS: 4.6

Read the full CVE-2022-38724 disclosure

CVE-2022-38145 Stored XSS in Compare Mode feature of history view

A malicious content author could add a Javascript payload to a page's meta description and get it executed in the versioned history compare view.

This vulnerability requires access to the CMS to be deployed. The attacker must then convince a privileged user to access the version history for that page.

  • Severity: Medium
  • CVSS: 4.6

Read the full CVE-2022-38145 disclosure

CVE-2022-37430 Stored XSS using uppercase characters in HTMLEditor

A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn't account for the casing of the href attribute.

  • Severity: Medium
  • CVSS: 4.6

Read the full CVE-2022-37430 disclosure

CVE-2022-37429 Stored XSS using HTMLEditor

A malicious content author could add a Javascript payload to the href attribute of a link by splitting a javascript url with white space characters.

  • Severity: Medium
  • CVSS: 4.6

Read the full CVE-2022-37429 disclosure

CVE-2022-37421 Stored XSS when creating a page with "Custom Meta Tags"

A malicious content author could create a custom meta tag and execute an arbitrary Javascript payload. This would require convincing a legitimate user to access the page and enter a custom keyboard shortcut.

  • Severity: Low
  • CVSS: 3.7

Read the full CVE-2022-37421 disclosure

CVE-2022-38147 Stored XSS by uploading ".gpx" file

A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML based format used to contained GPS data.

By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.

You can re-enable support for GPX file if you have a need for them, but beware there's an inherent risk in allowing content author in using this file format.

  • Severity: Medium
  • CVSS: 4.6

Read the full CVE-2022-38147 disclosure

Future jQuery update

Historically, the team looking after Silverstripe CMS has not been overly concerned with upgrading jQuery because it was perceived that any underlying vulnerability in this Javascript library would be mitigated by having user input go through our PHP backend. The CVE-2022-38146 has caused us to reaccess this position.

Upgrading to the latest version of jQuery in a patch release was not considered a viable solution. We elected to mitigate the vulnerability with a workaround.

jQuery will be upgraded from 1.7 to 3.6 in the upcoming Silverstripe CMS 4.12.0 release. This may impact some third party modules who use entwine/jQuery to interact with the Silverstripe CMS UI. The Silverstripe CMS 4.12.0 beta is now available. We encourage all maintainers to test their modules against this beta to identify potential regressions.

We appreciate the awkwardness of upgrading jQuery in Silverstripe CMS 4 at this time, with Silverstripe CMS 5 on the horizon. However, since Silverstripe CMS 4 still has two years of life left, the risk of running an unsupported jQuery version seemed too great.

Regression test and Security audit

This release has been comprehensively regression tested and passed to a third party for a security-focused audit.

While it is still advised that you perform your own due diligence when upgrading your project, this work is performed to ensure a safe and secure upgrade with each recipe release.

Bugfixes

Beyond the 9 vulnerability patches since the Silverstripe CMS 4.11.0 release, the following bug fixes will also be included if you deploy all the security patches.

Change Log

Security

Features and Enhancements

  • silverstripe/installer (4.11.0 -> 4.11.3)

    • 2022-06-01 57195ea Add and ignore public/_graphql (Guy Sartorelli)
    • 2022-05-30 612ff29 Add .graphql-generated directory by default. (Guy Sartorelli)
  • silverstripe/framework (4.11.0 -> 4.11.14)

    • 2022-08-24 a3c1cb0dd Set PasswordEncryption on default admin (Steve Boyd)

Bugfixes

  • silverstripe/framework (4.11.0 -> 4.11.14)

    • 2022-10-19 e3a6cad8a Allow passing objects to InjectionCreator::create() (Steve Boyd)
    • 2022-09-26 4a598ded5 Allow removing named extensions in yaml config (Guy Sartorelli)
    • 2022-08-25 6d885ab89 Normalise casing before casting fields (Guy Sartorelli)
    • 2022-08-01 6b15bd6dd Invalid argument warning in backtrace (Loz Calver)
    • 2022-07-21 dd210e0f8 Check if blank method passed (#10417) (Steve Boyd)
    • 2022-07-04 9b45342a0 Add missing casting for Form::getAttributesHTML (fixes #10386) (Loz Calver)
    • 2022-07-04 ad83b78a1 Handle null values passed to PDO::quote() (#10383) (Brandon Iffert)
    • 2022-07-03 babc81138 Remove unexpected message (Sabina Talipova)
    • 2022-07-01 b37178e83 'passwordsent' title was not being displayed (fixes #10366) (#10367) (Loz Calver)
    • 2022-06-30 5a940b0f1 PDO in PHP 8 (Steve Boyd)
    • 2022-06-29 6c0166151 Support search filters with match_any searchable_fields (Guy Sartorelli)
    • 2022-06-28 a77ca74a7 Ensure not passing null to mysql methods for PHP 8.1 compatibility (Steve Boyd)
    • 2022-05-30 e24fb3f86 Fix i18nTextCollector produces corrupt output / namespaces when running under PHP8.0 (#10228) (Christian B√ľnte)
    • 2022-05-24 e0c4f01c1 Resolve deduping problem with group codes. (Guy Sartorelli)
    • 2022-05-10 e91b7be05 Use DataColumns content when available in CSV export (Steve Piner)
    • 2022-04-29 19bb72e7c Correctly remove relations with ManyManyThroughList::removeall (Guy Sartorelli)
  • silverstripe/admin (1.11.0 -> 1.11.3)

    • 2022-08-18 6161caf1 Do not reverse state change when reauthenticating (Steve Boyd)
    • 2022-05-04 340a24c2 Collapse the preview panel by default if no preview is available. (Guy Sartorelli)
    • 2022-04-14 a96c99c7 Allow localisation of hardcoded link strings. (Guy Sartorelli)
    • 2022-01-10 4ca59430 Inconsistent state between current URL and actual content if XHR request fails: Ensuring we only reverse to previous state if current XHR failure is a server request, exclude aborts. Also unpause state via setTimeout() due to unfortunate use of setTimeout() in window.ss.router.back(). (Patrick Nelson)
    • 2019-11-26 20ef8e71 case error in SelectionGroup template (Mason Dechaineux)
  • silverstripe/asset-admin (1.11.0 -> 1.11.2)

    • 2022-07-26 b346e501 Include default_sort in sortChildren method (Steve Boyd)
    • 2022-06-09 fb299b3a Show correct error message instead of successful message if file exceeding maximum file size (Sabina Talipova)
  • silverstripe/cms (4.11.0 -> 4.11.3)

    • 2022-07-08 4d679ab4 Hide uploadfield in redirector page by default (Guy Sartorelli)
    • 2022-05-06 83104da3 Ensure unstaged versioned objects can be previewed. (Guy Sartorelli)
    • 2022-05-04 c02549cf Allow empty PreviewURLs for CMSPreviewable objects (Guy Sartorelli)
  • silverstripe/versioned (1.11.0 -> 1.11.1)

    • 2022-06-16 0dda24a comparing versions when class changes (#363) (Will Rossiter)
  • silverstripe/sharedraftcontent (2.7.0 -> 2.7.2)

    • 2022-06-08 e465937 Logout bug on shared preview page (Sabina Talipova)
  • silverstripe/userforms (5.13.0 -> 5.13.1)

    • 2022-06-01 63c6326 MAX_FILE_SIZE of the last EditableFileField (Sabina Talipova)
    • 2022-05-25 0c066a3 Add skipping argument and new behat tests (Sabina Talipova)
  • dnadesign/silverstripe-elemental (4.9.0 -> 4.9.4)

    • 2022-08-08 54246f9 Use consistent name for BaseElement graphql typename (#996) (Guy Sartorelli)
    • 2022-07-13 09355b0 Obsolete classes don't break the elemental area. (Guy Sartorelli)
    • 2022-04-13 2195434 getOwnerPage() should respect Versioned state. (Will Rossiter)
  • silverstripe/recipe-solr-search (2.11.0 -> 2.11.1)

    • 2022-07-21 d4bf6cb Ensure injectable version of queuedjobs is installed (Steve Boyd)
  • symbiote/silverstripe-queuedjobs (4.10.0 -> 4.10.1)

    • 2022-05-31 8e4ba4f Correctly log errors during job initialisation (fixes #316) (Loz Calver)
  • silverstripe/mfa (4.6.1 -> 4.6.2)

    • 2022-08-22 6f6be46 Strip spaces out of recovery code input (#463) (Phillip King)
  • dnadesign/silverstripe-elemental-userforms (3.2.0 -> 3.2.1)

    • 2022-05-17 78c875b Check current controller has a functional link (Steve Boyd)

Dependencies

  • silverstripe/installer (4.11.0 -> 4.11.3)

    • 2022-05-05 8fe8bf5 4.11 dev requirements (Steve Boyd)
  • silverstripe/recipe-cms (4.11.0 -> 4.11.1)

    • 2022-05-09 5665a59 Allow graphql 3.8 dev dependency (Steve Boyd)
    • 2022-05-06 ff4400a 4.11 dev requirements (Steve Boyd)
  • silverstripe/recipe-core (4.11.0 -> 4.11.1)

    • 2022-05-09 1560c62 4.11 dev requirements (Steve Boyd)
  • silverstripe/recipe-collaboration (1.11.0 -> 1.11.1)

    • 2022-05-09 b0e97ff 4.11 dev requirements (Steve Boyd)
  • silverstripe/recipe-form-building (1.11.0 -> 1.11.1)

    • 2022-05-06 080e731 4.11 dev requirements (Steve Boyd)
  • silverstripe/userforms (5.13.0 -> 5.13.1)

    • 2022-05-26 8feb4ba Require a minimum version of segment field that installs in the vendor folder (Steve Boyd)
  • silverstripe/recipe-content-blocks (2.11.0 -> 2.11.1)

    • 2022-05-05 cedc64b 4.11 dev requirements (Steve Boyd)
  • silverstripe/fulltextsearch (3.11.0 -> 3.11.1)

    • 2022-05-30 ef2d27f Require proxy-db ^1 (Steve Boyd)

Documentation

  • silverstripe/framework (4.11.0 -> 4.11.14)

    • 2022-06-30 30cd52102 Update docs for searchable and summary fields. (Guy Sartorelli)

Other changes

  • silverstripe/framework (4.11.0 -> 4.11.14)

    • 2022-11-09 78b661dcf Prevent infinite loop when getting table name for ComponentID (Lee Bradley)
    • 2022-09-28 54892fa26 request may not have a session (Thomas Portelange)
  • silverstripe/cms (4.11.0 -> 4.11.3)

    • 2022-09-30 9ca4895f Reset ExtraClass on ViewModeSelector include (Bram de Leeuw)
  • silverstripe/sharedraftcontent (2.7.0 -> 2.7.2)

    • 2022-08-07 07487f8 Update src/Extensions/ShareDraftContentFileShortcodeProviderExtension.php (Chris Penny)
    • 2022-08-03 f58af10 Bugfix: Check for active controller before access getRequest() (Chris Penny)
  • dnadesign/silverstripe-elemental (4.9.0 -> 4.9.4)

    • 2022-04-21 d117559 CMSEditLink method modified to support DataObject links and Example of using ElemenatalArea with DataObject (Sabina Talipova)