5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-44401

CVE-2023-44401: View permissions are bypassed for paginated lists of ORM data

Impact

canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page.

Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se.

This has been fixed by ensuring no new records are pulled in from the database after performing canView permission checks for each page of results. This may result in some pages in your query results having less than the maximum number of records per page even when there are more pages of results.

This behaviour is consistent with how pagination works in other areas of Silverstripe CMS, such as in GridField, and is a result of having to perform permission checks in PHP rather than in the database directly.

You can choose to disable these permission checks by disabling the CanViewPermission plugin following the instructions in overriding default plugins.

Note that this vulnerability does not affect version 3.x.

Base CVSS: 5.3 Reported by: Eduard Briem from Hothouse Creative, Nelson

References

https://www.silverstripe.org/download/security-releases/CVE-2023-44401

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-44401

CVE-2023-44401:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/graphql	composer	>= 4.0.0, < 4.3.7	4.3.7
silverstripe/graphql	composer	>= 5.0.0, < 5.1.3	5.1.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from pagination logic that fetches database records before fully applying PHP-level canView permission checks. The PaginationPlugin's result processing likely used naive offset/limit SQL queries, then filtered results in PHP without adjusting the pagination window for removed items. DataList::limit is implicated because ORM-level limit clauses would execute before permission filtering, creating a mismatch between SQL offsets and post-filtered results. The high confidence for PaginationPlugin comes from its direct responsibility for GraphQL pagination behavior, while DataList::limit has medium confidence due to being a lower-level ORM component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-44401: View permissions are bypassed for paginated lists of ORM data

Impact

References

CVE-2023-44401:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

Technical Details

CVE-2023-44401: View permissions are bypassed for paginated lists of ORM data

Impact

References

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI