4.3
CVE-2023-48714
- EPSS 0.36%
- Veröffentlicht 23.01.2024 14:15:37
- Zuletzt bearbeitet 21.11.2024 08:32:19
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginRecord titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Silverstripe ≫ Framework Version < 4.13.39
Silverstripe ≫ Framework Version >= 5.0.0 < 5.1.11
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.272 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-732 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v
https://www.silverstripe.org/download/security-releases/CVE-2023-48714