CVE-2024-32981 – Cross-site Scripting vulnerability with encoded payload in silverstripe/framework
https://notcve.org/view.php?id=CVE-2024-32981
Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. • https://github.com/silverstripe/silverstripe-framework/commit/b8d20dc9d531550e06fd7da7a0eafa551922e2e1 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-chx7-9x8h-r5mg https://www.silverstripe.org/download/security-releases/cve-2024-32981 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-29885 – Reports are still accessible even when `canView()` returns false in silverstripe/reports
https://notcve.org/view.php?id=CVE-2024-29885
silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. silverstripe/reports es una API para crear informes de backend en Silverstripe Framework. • https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4 https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw https://www.silverstripe.org/download/security-releases/cve-2024-29885 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-49783 – No permission checks for editing/deleting records with CSV import form
https://notcve.org/view.php?id=CVE-2023-49783
Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible. Note that this doesn't affect any `ModelAdmin` which has had the import form disabled via the `showImportForm` public property. Versions 1.13.19 and 2.1.8 contain a patch for the issue. • https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw https://www.silverstripe.org/download/security-releases/CVE-2023-49783 • CWE-863: Incorrect Authorization •
CVE-2023-48714 – Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
https://notcve.org/view.php?id=CVE-2023-48714
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. Silverstripe Framework es el framework que forma la base del sistema de gestión de contenidos Silverstripe. Antes de las versiones 4.13.39 y 5.1.11, si un usuario no podía ver un registro, pero ese registro se podía agregar a un `GridField` usando el componente `GridFieldAddExistingAutocompleter`, ese usuario podía acceder al título del registro. • https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v https://www.silverstripe.org/download/security-releases/CVE-2023-48714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-44401 – Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data
https://notcve.org/view.php?id=CVE-2023-44401
The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This has been fixed in versions 4.3.7 and 5.1.3 by ensuring no new records are pulled in from the database after performing `canView` permission checks for each page of results. This may result in some pages in the query results having less than the maximum number of records per page even when there are more pages of results. • https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-jgph-w8rh-xf5p https://www.silverstripe.org/download/security-releases/CVE-2023-44401 • CWE-863: Incorrect Authorization •