We are releasing three security patches for Silverstripe CMS to address security vulnerabilities. These vulnerabilities were reported to us following the documented process for reporting security issues, and we are not aware of any attempt to exploit them before the official disclosure today.
All of these vulnerabilities have a “medium” severity rating, and affect both the 4.x and 5.x release lines of Silverstripe CMS.
See the release process documentation for more information about severity ratings.
CVE-2023-49783 - No permission checks for editing or deleting records with CSV import form
When importing records from a CSV, the CMS doesn’t check your permissions before editing or deleting existing records.
In most cases, this doesn’t cause problems because the import form will only display if you can create records, and it is rare to be able to create new records but not edit or delete existing ones. However, some projects have more nuanced permission models that are not being respected by this import functionality.
What does this mean for me?
You will only be affected by this vulnerability if:
- your project uses CSV import functionality, and
- the user importing the CSV has the ability to create, but not to edit or delete records in the list they’re importing to.
If neither (or only one) of those conditions apply to your project, you don’t need to take any immediate action.
Upgrade the silverstripe/framework
module to 4.13.39 or 5.1.11 and the silverstripe/admin
module to 1.13.19 or 2.1.8 to remedy this vulnerability.
Further action may be required if your project has custom bulk importing functionality. More information about this can be found in the security advisory.
Read the CVE-2023-49783 security advisory for the technical details of this vulnerability.
CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
With some lists of records, you have the option to add existing records to the list. However, the CMS doesn’t check if you have permission to view those records, which can result in seeing the titles of records you shouldn’t be allowed to see.
What does this mean for me?
Your project will be affected by this vulnerability if you have:
- a list of records in a GridField which you can add existing records to, and
- view permissions that restrict some content editors from viewing those records.
Upgrade the silverstripe/framework
module to 4.13.39 or 5.1.11 to remedy this vulnerability.
Read the CVE-2023-48714 security advisory for the technical details of this vulnerability.
CVE-2023-44401 - View permissions are bypassed for paginated lists of ORM data in GraphQL queries
Paginated GraphQL queries don’t correctly check permissions for all records being returned when there are more results than the maximum number of records per page.
This can result in records being displayed that the current user should not be allowed to see.
The vulnerability affects areas of the CMS that use GraphQL like the files admin section and elemental blocks, as well as public GraphQL endpoints.
Note that this vulnerability does not affect silverstripe/graphql version 3.x.
What does this mean for me?
Depending on the permission models in use for your project, you might have users who are able to see records in the CMS that they shouldn’t be able to see.
This will also affect your project if you have a public GraphQL endpoint which exposes records that have view permissions beyond simply allowing anyone to view them.
Upgrade the silverstripe/graphql
module to 4.3.7 or 5.1.3 to remedy this vulnerability.
Read the CVE-2023-44401 security advisory for the technical details of this vulnerability.
Security patch release windows
In August 2023 we adopted a minor release policy, which complements the major release policy we adopted in September 2022. The minor release policy includes release windows for security patches such as this one.
Read the minor release policy for more information about security patch release windows.
Post your comment
Comments
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments