CVE-2023-44401

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Jan 23, 2024

Updated: Jan 30, 2024

CWE ID 863

Summary

CVE-2023-44401 affects versions 4.0.0 to 4.3.6 of Silverstripe CMS and 5.0.0 to 5.1.2 GraphQL Server. In these versions, the GraphQL server bypasses `canView` permission checks for ORM data in paginated queries if the total number of records exceeds the number per page. This issue also impacts queries with a limit, even if they aren't paginated. The vulnerability has been resolved in versions 4.3.7 and 5.1.3 by performing `canView` checks before fetching records from the database. As a result, some pages of query results may have fewer records than the maximum allowed per page. This behavior is consistent with Silverstripe's pagination mechanism, which performs permission checks in PHP instead of the database. Users can disable these checks by turning off the `CanViewPermission` plugin.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Vendors

SilverStripe

Advisories, Assessments, and Mitigations

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-44401 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future

Gain complete coverage of your cyber, third party, and physical attack surface
Proactively mitigate threats before they turn into costly attacks
Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database