Multiple vulnerabilities in SilverStripe Framework
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-49783 CVE-2023-48714 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SilverStripe Framework Server applications / Frameworks for developing and running applications |
| Vendor | SilverStripe |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU85699
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49783
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to a missing permissions check in BulkLoader. A remote user can gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsSilverStripe Framework: 4.0.0 - 5.1.10
External linkshttp://github.com/silverstripe/silverstripe-framework/releases/tag/5.1.11
http://github.com/silverstripe/silverstripe-framework/pull/11112
http://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.39
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU85700
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48714
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to application does not properly impose security restrictions when retrieving data via GridFieldAddExistingAutocompleter. A remote user can view record titles they should not have access to.
Install updates from vendor's website.
Vulnerable software versionsSilverStripe Framework: 4.0.0 - 5.1.10
External linkshttp://github.com/silverstripe/silverstripe-framework/releases/tag/5.1.11
http://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.39
http://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v
http://github.com/silverstripe/silverstripe-framework/pull/11113
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
