Skip to main content

Incorrect Authorization

CVE-2023-49783

Severity Medium
Score 4.3/10

Summary

Silverstripe Admin provides a basic management interface for the Silverstripe Framework. Users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible. Note that this doesn't affect any `ModelAdmin` which has had the import form disabled via the `showImportForm` public property. Those who have a custom implementation of `BulkLoader` should update their implementations to respect permissions when the return value of `getCheckPermissions()` is true. Those who use any `BulkLoader` in their own project logic, or maintain a module that uses it, should consider passing `true` to `setCheckPermissions()` if the data is provided by users. This issue affects silverstripe/admin versions through 1.13.18, and 2.0.0-alpha1 through 2.1.7, silverstripe/framework versions through 4.13.38, 5.0.0-alpha1 through 5.1.10, silverstripe/cms versions 2.4.9 through 2.5.0, and silverstripe/siteconfig versions 2.4.9 through 2.4.13

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-863 - Incorrect Authorization

Authorization is a security mechanism performed by an application to grant or deny access to the requested resources by verifying the privileges of the user. When an application lacks effective authorization mechanisms, it enables unauthorized users to gain unintended privileges and illegitimate access to resources. Such a vulnerability may result in exposure of sensitive information, denial of service, arbitrary code execution, and complete system takeover.

Advisory Timeline

  • Published