Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-22728: Missing permission check of canView in GridFieldPrintButton

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

CVE
Open in Source
#web#auth

Package

composer silverstripe/framework (Composer)

Affected versions

<=4.12.5

Patched versions

4.12.5, 4.13.0

Description

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access.

Upgrade to silverstripe/framework 4.12.5 or above to address the issue.

Reported by Stephan Bauer from relaxt Webdienstleistungsagentur GmbH

Related news

GHSA-jh3w-6jp2-vqqm: Missing permission check of canView in GridFieldPrintButton

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Upgrade to `silverstripe/framework` 4.12.5 or above to address the issue. Reported by Stephan Bauer from [relaxt Webdienstleistungsagentur GmbH](https://www.relaxt.at/)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE