Incorrect Authorization Affecting silverstripe/admin package, versions >=1.0.0, <1.13.19>=2.0.0, <2.1.8
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-SILVERSTRIPEADMIN-6184774
- published24 Jan 2024
- disclosed23 Jan 2024
- creditGuy Sartorelli
Introduced: 23 Jan 2024
CVE-2023-49783 (opens in a new tab)How to fix?
Upgrade silverstripe/admin to version 1.13.19, 2.1.8 or higher.
Overview
silverstripe/admin is a SilverStripe admin interface.
Affected versions of this package are vulnerable to Incorrect Authorization via the ModelAdmin CSV import form. An attacker with create permission can modify or remove records they should not have access to by exploiting the CSV import functionality.
Notes:
This is only exploitable if the attacker has create permissions but not edit or delete permissions for the records.The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible.
Note that this doesn't affect any ModelAdmin which has had the import form disabled via the showImportForm public property, nor does it impact the SecurityAdmin section.
If a custom implementation of BulkLoader is present, an update of the implementation should be done, to respect permissions when the return value of getCheckPermissions() is true.
If any
BulkLoaderis in use in the project logic or maintain a module which uses it, passing true tosetCheckPermissions()should be considered if the data is provided by users.