Add CVE details for January Silverstripe CMS patches

creative-commoners · Jan 23, 2024 · 7642f69 · 7642f69
1 parent fd6a8b7
commit 7642f69
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/silverstripe/admin/CVE-2023-49783.yaml b/silverstripe/admin/CVE-2023-49783.yaml
@@ -0,0 +1,11 @@
+title:     "CVE-2023-49783 No permission checks for editing or deleting records with CSV import form"
+link:      https://www.silverstripe.org/download/security-releases/CVE-2023-49783
+cve:       CVE-2023-49783
+branches:
+    1.13.x:
+        time:     2024-01-23 03:15:01
+        versions: ['>=1.0.0', '<1.13.19']
+    2.1.x:
+        time:     2024-01-23 03:15:49
+        versions: ['>=2.0.0', '<2.1.8']
+reference: composer://silverstripe/admin
diff --git a/silverstripe/framework/CVE-2023-48714.yaml b/silverstripe/framework/CVE-2023-48714.yaml
@@ -0,0 +1,11 @@
+title:     "CVE-2023-48714 Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter"
+link:      https://www.silverstripe.org/download/security-releases/CVE-2023-48714
+cve:       CVE-2023-48714
+branches:
+    4.13.x:
+        time:     2024-01-22 22:46:28
+        versions: ['>=4.0.0', '<4.13.39']
+    5.1.x:
+        time:     2024-01-22 22:58:52
+        versions: ['>=5.0.0', '<5.1.11']
+reference: composer://silverstripe/framework
diff --git a/silverstripe/graphql/CVE-2023-44401.yaml b/silverstripe/graphql/CVE-2023-44401.yaml
@@ -0,0 +1,11 @@
+title:     "CVE-2023-44401 View permissions are bypassed for paginated lists of ORM data in GraphQL queries"
+link:      https://www.silverstripe.org/download/security-releases/CVE-2023-44401
+cve:       CVE-2023-44401
+branches:
+    4.3.x:
+        time:     2024-01-22 23:19:50
+        versions: ['>=4.0.0', '<4.3.7']
+    5.1.x:
+        time:     2024-01-22 23:26:08
+        versions: ['>=5.0.0', '<5.1.3']
+reference: composer://silverstripe/graphql