Miggo Logo

CVE-2020-6165: Silverstripe has Incorrect Default Permissions

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.37569%
Published
5/24/2022
Updated
2/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/recipe-cmscomposer>= 4.5.0, < 4.5.34.5.3
silverstripe/graphqlcomposer>= 3.2.0, < 3.2.43.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper ordering of permission checks relative to query limitations. The changelogs explicitly mention moving 'query resolution after the DataListQuery has been altered' and ensuring 'canView() check is run on items.' This indicates that DataListQuery::resolve() executed permission checks on the full dataset before applying pagination/limits, leaving residual unauthorized records in the truncated result. The CanViewPermissionChecker::checkItem() method was likely invoked at the wrong stage in this flow. The patch corrected this by reordering the steps to apply permissions after query constraints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rStrip* *.*.* *llows *tt**k*rs to r*** **rt*in r**or*s t**t s*oul* not **v* ***n pl**** into * r*sult s*t. T*is *****ts silv*rstrip*/r**ip*-*ms. T** *utom*ti* p*rmission-****kin* m****nism in t** silv*rstrip*/*r*p*ql mo*ul* *o*s not provi** *omp

Reasoning

T** vuln*r**ility st*ms *rom improp*r or**rin* o* p*rmission ****ks r*l*tiv* to qu*ry limit*tions. T** ***n**lo*s *xpli*itly m*ntion movin* 'qu*ry r*solution **t*r t** `**t*ListQu*ry` **s ***n *lt*r**' *n* *nsurin* '**nVi*w() ****k is run on it*ms.'