CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48714 – Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
https://notcve.org/view.php?id=CVE-2023-48714
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. Silverstripe Framework es el framework que forma la base del sistema de gestión de contenidos Silverstripe. Antes de las versiones 4.13.39 y 5.1.11, si un usuario no podía ver un registro, pero ese registro se podía agregar a un `GridField` usando el componente `GridFieldAddExistingAutocompleter`, ese usuario podía acceder al título del registro. • https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v https://www.silverstripe.org/download/security-releases/CVE-2023-48714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22729 – Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen
https://notcve.org/view.php?id=CVE-2023-22729
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/1a5bb4cbece1721203977910b8ecd8b79c18dc77 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-fw84-xgm8-9jmv • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22728 – Silverstripe Framework has missing permission check of canView in GridFieldPrintButton
https://notcve.org/view.php?id=CVE-2023-22728
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue. • https://github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2022-4413 – Cross-site Scripting (XSS) - Reflected in nuxt/framework
https://notcve.org/view.php?id=CVE-2022-4413
Cross-site Scripting (XSS) - Reflected in GitHub repository nuxt/framework prior to v3.0.0-rc.13. Cross-site Scripting (XSS): Reflejado en el repositorio de GitHub nuxt/framework anterior a v3.0.0-rc.13. • https://github.com/nuxt/framework/commit/253c8f7ee0c0c580c44dedbe9387646264e90a1e https://huntr.dev/bounties/70ac720d-c932-4ed3-98b1-dd2cbcb90185 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2022-4414 – Cross-site Scripting (XSS) - DOM in nuxt/framework
https://notcve.org/view.php?id=CVE-2022-4414
Cross-site Scripting (XSS) - DOM in GitHub repository nuxt/framework prior to v3.0.0-rc.13. Cross-site Scripting (XSS): DOM en el repositorio de GitHub nuxt/framework anterior a v3.0.0-rc.13. • https://github.com/nuxt/framework/commit/19a2cd14929ca9b55720cb81f71687830a9e59a4 https://huntr.dev/bounties/131a41e5-c936-4c3f-84fc-e0e1f0e090b5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •