CVE-2023-48714

Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.

Silverstripe Framework es el framework que forma la base del sistema de gestión de contenidos Silverstripe. Antes de las versiones 4.13.39 y 5.1.11, si un usuario no podía ver un registro, pero ese registro se podía agregar a un `GridField` usando el componente `GridFieldAddExistingAutocompleter`, ese usuario podía acceder al título del registro. Las versiones 4.13.39 y 5.1.11 contienen una solución para este problema.

*Credits: N/A

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-17 CVE Reserved
2024-01-23 CVE Published
2024-02-02 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v	2024-02-02
https://www.silverstripe.org/download/security-releases/CVE-2023-48714	2024-02-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Silverstripe Search vendor "Silverstripe"		Framework Search vendor "Silverstripe" for product "Framework"				< 4.13.39 Search vendor "Silverstripe" for product "Framework" and version " < 4.13.39"		-		Affected
Silverstripe Search vendor "Silverstripe"		Framework Search vendor "Silverstripe" for product "Framework"				>= 5.0.0 < 5.1.11 Search vendor "Silverstripe" for product "Framework" and version " >= 5.0.0 < 5.1.11"		-		Affected