CVE-2023-49783: 
PHP vulnerability analysis and mitigation

Silverstripe Admin, which provides a basic management interface for the Silverstripe Framework, was found to contain a vulnerability in versions 1.x prior to 1.13.19 and 2.x prior to 2.1.8. The vulnerability allows users with create permissions to edit or delete records in ModelAdmin even without proper edit or delete permissions (Vendor Advisory, GitHub Advisory).

The vulnerability exists in the CSV import form functionality of ModelAdmin. When users with create permissions use this form, the system fails to properly validate whether they have edit or delete permissions for the records being modified. This bypass only affects ModelAdmin instances that have not disabled the import form via the showImportForm public property. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

While the likelihood of a user having create permissions without edit or delete permissions is considered low, the vulnerability could allow unauthorized modification or deletion of records through the CSV import functionality. The SecurityAdmin section is not affected by this vulnerability (Vendor Advisory).

The vulnerability has been patched in versions 1.13.19 and 2.1.8. For custom implementations of BulkLoader, developers should update their implementation to respect permissions when getCheckPermissions() returns true. Those using BulkLoader in project logic or maintaining modules should consider passing true to setCheckPermissions() when handling user-provided data (Vendor Advisory).