CVE-2023-44401
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2023-44401 affects versions 4.0.0 to 4.3.6 of Silverstripe CMS and 5.0.0 to 5.1.2 GraphQL Server. In these versions, the GraphQL server bypasses `canView` permission checks for ORM data in paginated queries if the total number of records exceeds the number per page. This issue also impacts queries with a limit, even if they aren't paginated. The vulnerability has been resolved in versions 4.3.7 and 5.1.3 by performing `canView` checks before fetching records from the database. As a result, some pages of query results may have fewer records than the maximum allowed per page. This behavior is consistent with Silverstripe's pagination mechanism, which performs permission checks in PHP instead of the database. Users can disable these checks by turning off the `CanViewPermission` plugin.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Vendors
- SilverStripe
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions