VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 26, 2023· Updated Jan 31, 2025

Silverstripe Framework has missing permission check of canView in GridFieldPrintButton

CVE-2023-22728

Description

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Silverstripe Framework GridField print view fails to check canView permissions, allowing content authors to view unauthorized records.

Root

Cause

The vulnerability stems from the GridField print view in Silverstripe Framework versions prior to 4.12.15. The generatePrintData method iterates over DataObjects without verifying the current user's canView permission, as shown in the fix commit [2]. This omission allows a content author to view records they are not authorized to access when using the print functionality.

Exploitation

An authenticated user with content author privileges can exploit this by navigating to a GridField's print view. The print view bypasses the usual permission checks that are applied to the standard list view. No additional privileges or special network position are required; the attacker only needs to have access to a GridField that lists restricted DataObjects [1].

Impact

Successful exploitation enables an attacker to view sensitive records that would normally be hidden from them. This could lead to unauthorized disclosure of confidential information, such as draft content, internal notes, or other protected data stored in the CMS [4].

Mitigation

The issue is resolved in Silverstripe Framework version 4.12.15 and later. Users should upgrade to this or a higher version immediately. The fix adds a canView check before including each item in the print data [2]. No workarounds are currently available.

References
  1. NVD - CVE-2023-22728
  2. [CVE-2023-22728] Check canView before printing from GridField · silverstripe/silverstripe-framework@fd5d821
  3. security-advisories/silverstripe/framework/CVE-2023-22728.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
silverstripe/frameworkPackagist
< 4.12.54.12.5

Affected products

2

Patches

1
fd5d8217e837

[CVE-2023-22728] Check canView before printing from GridField

https://github.com/silverstripe/silverstripe-frameworkGuy SartorelliFeb 13, 2023via ghsa
commit
3 files changed · +34 13
  • src/Forms/GridField/GridFieldPrintButton.php+13 11 modified
    @@ -228,21 +228,23 @@ public function generatePrintData(GridField $gridField)
 
         /** @var DataObject $item */
         foreach ($items->limit(null) as $item) {
-            $itemRow = new ArrayList();
+            if (!$item->hasMethod('canView') || $item->canView()) {
+                $itemRow = new ArrayList();
 
-            foreach ($printColumns as $field => $label) {
-                $value = $gridFieldColumnsComponent
-                    ? strip_tags($gridFieldColumnsComponent->getColumnContent($gridField, $item, $field))
-                    : $gridField->getDataFieldValue($item, $field);
+                foreach ($printColumns as $field => $label) {
+                    $value = $gridFieldColumnsComponent
+                        ? strip_tags($gridFieldColumnsComponent->getColumnContent($gridField, $item, $field))
+                        : $gridField->getDataFieldValue($item, $field);
+
+                    $itemRow->push(new ArrayData([
+                        "CellString" => $value,
+                    ]));
+                }
 
-                $itemRow->push(new ArrayData([
-                    "CellString" => $value,
+                $itemRows->push(new ArrayData([
+                    "ItemRow" => $itemRow
                 ]));
             }
-
-            $itemRows->push(new ArrayData([
-                "ItemRow" => $itemRow
-            ]));
             if ($item->hasMethod('destroy')) {
                 $item->destroy();
             }
  • tests/php/Forms/GridField/GridFieldPrintButtonTest.php+14 2 modified
    @@ -32,6 +32,19 @@ protected function setUp(): void
     }
 
     public function testLimit()
+    {
+        $this->assertEquals(42, $this->getTestableRows()->count());
+    }
+
+    public function testCanViewIsRespected()
+    {
+        $orig = TestObject::$canView;
+        TestObject::$canView = false;
+        $this->assertEquals(0, $this->getTestableRows()->count());
+        TestObject::$canView = $orig;
+    }
+
+    private function getTestableRows()
     {
         $list = TestObject::get();
 
@@ -48,7 +61,6 @@ public function testLimit()
 
         // Printed data should ignore pagination limit
         $printData = $button->generatePrintData($gridField);
-        $rows = $printData->ItemRows;
-        $this->assertEquals(42, $rows->count());
+        return $printData->ItemRows;
     }
 }
  • tests/php/Forms/GridField/GridFieldPrintButtonTest/TestObject.php+7 0 modified
    @@ -12,4 +12,11 @@ class TestObject extends DataObject implements TestOnly
     private static $db = [
         'Name' => 'Varchar'
     ];
+
+    public static bool $canView = true;
+
+    public function canView($member = null)
+    {
+        return static::$canView;
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.