GoogleOSV:GHSA-RR8H-F97Q-8P9CBlind SQL Injection via GridFieldSortableHeader
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
66.2%
Gridfield state is vulnerable to SQL injections. The vast majority of Gridfields in Silverstripe CMS are affected by this vulnerability.
An attacker with CMS access could execute an arbitrary SQL statement by adding an SQL payload in some parts of the GridField state.
References
forum.silverstripe.org/c/releases
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2022-38148.yaml
nvd.nist.gov/vuln/detail/CVE-2022-38148
www.silverstripe.org/blog/tag/release
www.silverstripe.org/download/security-releases
www.silverstripe.org/download/security-releases/CVE-2022-38148
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
66.2%