Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter

Medium (?)
Versions Affected:
silverstripe/framework: ^3, ^4, ^5
Versions Fixed:
silverstripe/framework: 4.11.39, 5.1.11
Release Date:

If a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user.

Base CVSS: 4.3
Reported by: 
Nick K - LittleMonkey,