CVE-2023-49783Incorrect Authorization in Admin

CWE-863Incorrect Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 65.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Silverstripe AdminSilverstripe Silverstripe-admin
Timeline
PublishedJan 23

Description

Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible. Note that this doesn

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDsilverstripe/admin1.0.01.13.19+1
Packagistsilverstripe/admin1.0.01.13.19+1
CVEListV5silverstripe/silverstripe-admin>= 1.0.0, < 1.13.19, >= 2.0.0, < 2.1.8+1

🔴Vulnerability Details

2
GHSA
No permission checks for editing/deleting records with CSV import form2024-01-23
OSV
No permission checks for editing/deleting records with CSV import form2024-01-23