CVE-2023-22728 MEDIUM

CVE-2023-22728: Silverstripe Framework has missing permission check of canView in GridFieldPrintButton

Vendor Silverstripe
Product silverstripe-framework
Weakness CWE-862 · Missing authorization
Published April 26, 2023
Last update January 31, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

Key dates

02Disclosure timeline

April 26, 2023 CVE published
January 31, 2025 Record updated