VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-r237-7hnx-kbeq

Essentials
Severities (28)
References (10)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-r237-7hnx-kbeq
Aliases	CVE-2023-49783 GHSA-j3m6-gvm8-mhvw
Summary	No permission checks for editing/deleting records with CSV import form ### Impact Users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelyhood of a user having create permissions but _not_ having edit or delete permissions is low, but it _is_ possible. Note that this doesn't affect any `ModelAdmin` which has had the import form disabled via the [`showImportForm` public property](https://api.silverstripe.org/4/SilverStripe/Admin/ModelAdmin.html#property_showImportForm), nor does it impact the `SecurityAdmin` section. #### Action may be required If you have a custom implementation of [`BulkLoader`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html), you should update your implementation to respect permissions when the return value of [`getCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_getCheckPermissions) is true. If you are using any `BulkLoader` in your own project logic, or maintain a module which uses it, you should consider passing `true` to [`setCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_setCheckPermissions) if the data is provided by users. Base CVSS: [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C&version=3.1) Reported by: Guy Sartorelli from Silverstripe ### References - https://www.silverstripe.org/download/security-releases/CVE-2023-49783
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-863	Incorrect Authorization
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
epss	0.00146	https://api.first.org/data/v1/epss?cve=CVE-2023-49783
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-j3m6-gvm8-mhvw
cvssv3.1	4.3	https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/CVE-2023-49783.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/CVE-2023-49783.yaml
cvssv3.1	4.3	https://github.com/silverstripeltd/product-issues/issues/832
generic_textual	MODERATE	https://github.com/silverstripeltd/product-issues/issues/832
cvssv3.1	4.3	https://github.com/silverstripe-security/security-issues/issues/177
generic_textual	MODERATE	https://github.com/silverstripe-security/security-issues/issues/177
cvssv3.1	4.3	https://github.com/silverstripe/silverstripe-admin
generic_textual	MODERATE	https://github.com/silverstripe/silverstripe-admin
cvssv3.1	4.3	https://github.com/silverstripe/silverstripe-admin/commit/9693130a0a637cdf512277cf5f07e83250b191db
generic_textual	MODERATE	https://github.com/silverstripe/silverstripe-admin/commit/9693130a0a637cdf512277cf5f07e83250b191db
cvssv3.1	4.3	https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw
cvssv3.1_qr	MODERATE	https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw
generic_textual	MODERATE	https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw
ssvc	Track	https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw
cvssv3.1	4.3	https://nvd.nist.gov/vuln/detail/CVE-2023-49783
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-49783
cvssv3.1	4.3	https://www.silverstripe.org/download/security-releases/CVE-2023-49783
generic_textual	MODERATE	https://www.silverstripe.org/download/security-releases/CVE-2023-49783
ssvc	Track	https://www.silverstripe.org/download/security-releases/CVE-2023-49783

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-49783
		https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/CVE-2023-49783.yaml
		https://github.com/silverstripeltd/product-issues/issues/832
		https://github.com/silverstripe-security/security-issues/issues/177
		https://github.com/silverstripe/silverstripe-admin
		https://github.com/silverstripe/silverstripe-admin/commit/9693130a0a637cdf512277cf5f07e83250b191db
		https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw
		https://nvd.nist.gov/vuln/detail/CVE-2023-49783
		https://www.silverstripe.org/download/security-releases/CVE-2023-49783
GHSA-j3m6-gvm8-mhvw		https://github.com/advisories/GHSA-j3m6-gvm8-mhvw

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/CVE-2023-49783.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/silverstripeltd/product-issues/issues/832

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/silverstripe-security/security-issues/issues/177

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/silverstripe/silverstripe-admin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/silverstripe/silverstripe-admin/commit/9693130a0a637cdf512277cf5f07e83250b191db

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T21:29:24Z/ Found at https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-49783

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://www.silverstripe.org/download/security-releases/CVE-2023-49783

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T21:29:24Z/ Found at https://www.silverstripe.org/download/security-releases/CVE-2023-49783

Exploit Prediction Scoring System (EPSS)

Percentile	0.35012
EPSS Score	0.00146
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:50:04.971422+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-j3m6-gvm8-mhvw/GHSA-j3m6-gvm8-mhvw.json	38.0.0