PT-2024-13629 · Silverstripe · Silverstripe/Framework

Nick K

Published

2024-01-23

Updated

2024-02-02

CVE-2023-48714

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Silverstripe Framework versions prior to 4.13.39 and 5.1.11

Description The issue allows a user to access a record's title even if they should not be able to see the record, by adding it to a GridField using the GridFieldAddExistingAutocompleter component.

Recommendations For versions prior to 4.13.39, update to version 4.13.39 or later. For versions prior to 5.1.11, update to version 5.1.11 or later.

Exploit

Fix

Information Disclosure

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-732

Related Identifiers

CVE-2023-48714

GHSA-QM2J-QVQ3-J29V

Affected Products

Silverstripe/Framework

PT-2024-13629 · Silverstripe · Silverstripe/Framework

CVE-2023-48714

Weakness Enumeration

Related Identifiers

Affected Products

References · 10