CVE-2023-48714: Exposure of Sensitive Information to an Unauthorized Actor

January 23, 2024

Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record’s title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.

References

github.com/advisories/GHSA-qm2j-qvq3-j29v
github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29v
nvd.nist.gov/vuln/detail/CVE-2023-48714
www.silverstripe.org/download/security-releases/CVE-2023-48714

Code Behaviors & Features

Detect and mitigate CVE-2023-48714 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →