CVE-2023-49783

Summary

CVE-2023-49783 is a vulnerability affecting the Silverstripe Admin interface on versions 1.x prior to 1.13.19 and 2.x prior to 2.1.8. Despite lacking edit or delete permissions for records in a `ModelAdmin`, users can still manipulate those records through the CSV import form, provided they have create permissions. Although the likelihood of this situation occurring is low, it poses a risk to data security. The patch for this issue is available in versions 1.13.19 and 2.1.8. Users with custom `BulkLoader` implementations should ensure they respect permissions when `getCheckPermissions()` returns true. Additionally, those using or maintaining modules that employ `BulkLoader` are advised to consider passing `true` to `setCheckPermissions()` to mitigate potential security risks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.