Skip to content

Missing permission check of canView in GridFieldPrintButton

Moderate
GuySartorelli published GHSA-jh3w-6jp2-vqqm Apr 26, 2023

Package

composer silverstripe/framework (Composer)

Affected versions

<=4.12.5

Patched versions

4.12.5, 4.13.0

Description

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access.

Upgrade to silverstripe/framework 4.12.5 or above to address the issue.

Reported by Stephan Bauer from relaxt Webdienstleistungsagentur GmbH

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-22728

Weaknesses