CVE-2023-48714 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=0 <4.13.39 || >=5.0.0 <5.1.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00226 pctl0.45272

Details

Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter ### Impact If a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. **Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C&version=3.1) **Reported by:** Nick K - LittleMonkey, [littlemonkey.co.nz](http://littlemonkey.co.nz/) ### References - https://www.silverstripe.org/download/security-releases/CVE-2023-48714

Metadata

Created: 2024-01-23T12:49:27Z
Modified: 2024-01-29T14:22:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-qm2j-qvq3-j29v/GHSA-qm2j-qvq3-j29v.json
CWE IDs: ["CWE-200", "CWE-732"]
Alternative ID: GHSA-qm2j-qvq3-j29v
Finding: F310
Auto approve: 1