CVE-2023-49783

Summary

CVE-2023-49783 is a vulnerability affecting the Silverstripe Admin, specifically versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8. The vulnerability allows users with create permissions but without edit or delete permissions to still edit or delete records using the CSV import form in ModelAdmin. The likelihood of a user having create permissions but not edit or delete permissions is low, but it is possible. To remediate this vulnerability, users should update to versions 1.13.19 or 2.1.8, which contain a patch for the issue. Additionally, those who have a custom implementation of BulkLoader should update their implementations to respect permissions when the return value of getCheckPermissions() is true, and those who use any BulkLoader in their project logic should consider passing true to setCheckPermissions(). The potential danger this vulnerability poses to an organization is rated as medium severity with a base score of 4.3 out of 10 according to the CVSS score provided by [email protected].

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.