GoogleOSV:GHSA-JH3W-6JP2-VQQMMissing permission check of canView in GridFieldPrintButton
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
29.6%
The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access.
Upgrade to silverstripe/framework 4.12.5 or above to address the issue.
Reported by Stephan Bauer from relaxt Webdienstleistungsagentur GmbH
References
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22728.yaml
github.com/silverstripe/silverstripe-framework
github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58
github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm
nvd.nist.gov/vuln/detail/CVE-2023-22728
www.silverstripe.org/download/security-releases/cve-2023-22728
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
29.6%