CVE-2023-48714 — Sensitive Information Exposure in Silverstripe-framework

CWE-200 — Sensitive Information Exposure CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe Silverstripe-framework Silverstripe Framework

Timeline

PublishedJan 23

Description

Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDsilverstripe/framework5.0.0 — 5.1.11+1

▶Packagistsilverstripe/framework5.0.0 — 5.1.11+1

▶CVEListV5silverstripe/silverstripe-framework< 4.13.39+1

🔴Vulnerability Details

OSV

Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter↗2024-01-23

▶

GHSA

Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter↗2024-01-23

▶