Описание
Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Impact
If a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user.
Base CVSS: 4.3 Reported by: Nick K - LittleMonkey, littlemonkey.co.nz
References
Ссылки
- https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v
- https://nvd.nist.gov/vuln/detail/CVE-2023-48714
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-48714.yaml
- https://www.silverstripe.org/download/security-releases/CVE-2023-48714
Пакеты
silverstripe/framework
< 4.13.39
4.13.39
silverstripe/framework
>= 5.0.0, < 5.1.11
5.1.11
Связанные уязвимости
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.