Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

Severity:
Medium (?)
Identifier:
CVE-2023-48714
Versions Affected:
silverstripe/framework: ^3, ^4, ^5
Versions Fixed:
silverstripe/framework: 4.11.39, 5.1.11
Release Date:
2024-01-23

If a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user.

Base CVSS: 4.3
Reported by: Nick K - LittleMonkey, littlemonkey.co.nz