CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48714 – Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
https://notcve.org/view.php?id=CVE-2023-48714
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. Silverstripe Framework es el framework que forma la base del sistema de gestión de contenidos Silverstripe. Antes de las versiones 4.13.39 y 5.1.11, si un usuario no podía ver un registro, pero ese registro se podía agregar a un `GridField` usando el componente `GridFieldAddExistingAutocompleter`, ese usuario podía acceder al título del registro. • https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v https://www.silverstripe.org/download/security-releases/CVE-2023-48714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22729 – Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen
https://notcve.org/view.php?id=CVE-2023-22729
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22728 – Silverstripe Framework has missing permission check of canView in GridFieldPrintButton
https://notcve.org/view.php?id=CVE-2023-22728
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-40482
https://notcve.org/view.php?id=CVE-2022-40482
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist. • https://ephort.dk/blog/laravel-timing-attack-vulnerability https://github.com/ephort/laravel-user-enumeration-demo https://github.com/laravel/framework/pull/44069 https://github.com/laravel/framework/releases/tag/v9.32.0 • CWE-203: Observable Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2022-4413 – Cross-site Scripting (XSS) - Reflected in nuxt/framework
https://notcve.org/view.php?id=CVE-2022-4413
Cross-site Scripting (XSS) - Reflected in GitHub repository nuxt/framework prior to v3.0.0-rc.13. Cross-site Scripting (XSS): Reflejado en el repositorio de GitHub nuxt/framework anterior a v3.0.0-rc.13. • https://github.com/nuxt/framework/commit/253c8f7ee0c0c580c44dedbe9387646264e90a1e https://huntr.dev/bounties/70ac720d-c932-4ed3-98b1-dd2cbcb90185 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •