CVE-2023-44401

Summary

CVE-2023-44401 affects versions 4.0.0 to 4.3.6 of Silverstripe CMS and 5.0.0 to 5.1.2 GraphQL Server. In these versions, the GraphQL server bypasses `canView` permission checks for ORM data in paginated queries if the total number of records exceeds the number per page. This issue also impacts queries with a limit, even if they aren't paginated. The vulnerability has been resolved in versions 4.3.7 and 5.1.3 by performing `canView` checks before fetching records from the database. As a result, some pages of query results may have fewer records than the maximum allowed per page. This behavior is consistent with Silverstripe's pagination mechanism, which performs permission checks in PHP instead of the database. Users can disable these checks by turning off the `CanViewPermission` plugin.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.