Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

Impact

If a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user.

Base CVSS: 4.3
Reported by: Nick K - LittleMonkey, littlemonkey.co.nz

References

https://www.silverstripe.org/download/security-releases/CVE-2023-48714

References

GuySartorelli published to silverstripe/silverstripe-framework Jan 22, 2024

Published to the GitHub Advisory Database Jan 23, 2024

Reviewed Jan 23, 2024

Published by the National Vulnerability Database Jan 23, 2024

Last updated Feb 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code