CVE-2023-22728 — Missing Authorization in Silverstripe-framework

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 36.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe Silverstripe-framework Silverstripe Framework

Timeline

PublishedApr 26

Description

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDsilverstripe/framework< 4.12.5

▶Packagistsilverstripe/framework< 4.12.5

▶CVEListV5silverstripe/silverstripe-framework< 4.12.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Missing permission check of canView in GridFieldPrintButton↗2023-04-26

▶

OSV

Missing permission check of canView in GridFieldPrintButton↗2023-04-26

▶