CVE-2023-22728 — Missing permission check of canView in GridFieldPrintButton

Description

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Upgrade to `silverstripe/framework` 4.12.5 or above to address the issue. Reported by Stephan Bauer from [relaxt Webdienstleistungsagentur GmbH](https://www.relaxt.at/)

How to fix CVE-2023-22728

To remediate CVE-2023-22728, upgrade the affected package to a fixed version below.

—upgrade to 4.12.5 or later

Is CVE-2023-22728 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.12.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-22728
PATCHgithub.com/silverstripe/silverstripe-framework
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22728.yaml
WEBgithub.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58