CVE-2025-30148: 
PHP vulnerability analysis and mitigation

Silverstripe Framework, which powers the Silverstripe CMS, was found to contain a cross-site scripting (XSS) vulnerability prior to version 5.3.23. The vulnerability was discovered by James Nicoll from Fujitsu Cyber and was assigned CVE-2025-30148. The issue was disclosed on April 10, 2025, and affects all versions of the framework before 5.3.23 (Silverstripe Advisory).

The vulnerability allows attackers with CMS content editing access to send specifically crafted encoded payloads to the server, which could then be used to inject JavaScript payloads on the front end of the site. While the payload would be sanitized on the client-side, the server-side sanitization mechanism failed to catch these malicious inputs. The issue was related to improper handling of backspace characters in XSS sanitization. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (GitHub Advisory).

The vulnerability could allow authenticated attackers with content editing privileges to execute arbitrary JavaScript code on the front end of the website. This could potentially lead to theft of user data, session hijacking, or other malicious actions performed in the context of site visitors' browsers (GitHub Advisory).

The vulnerability has been fixed in Silverstripe Framework version 5.3.23. The fix involves updating the server-side sanitization logic to properly handle malicious payloads. Users are advised to upgrade to version 5.3.23 or later to address this security issue (Silverstripe Advisory).