Lucene search

K
githubGitHub Advisory DatabaseGHSA-3MM9-2P44-RW39
HistoryMay 22, 2024 - 7:03 p.m.

Silverstripe SiteTree Creation Permission Vulnerability

2024-05-2219:03:54
CWE-863
GitHub Advisory Database
github.com
4
silverstripe
sitetree
permission vulnerability
validation
user permissions
database
cms access
restfulserver module
model editing
model-level permission checks
draft pages
live pages
upgrade

7.4 High

AI Score

Confidence

High

A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system.

This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks.

This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages.

All users should upgrade as soon as possible.

Affected configurations

Vulners
Node
silverstripesilverstripeRange<3.1.11
OR
silverstripesilverstripeRange3.0.11

7.4 High

AI Score

Confidence

High