{"id":"CVE-2020-6165","details":"SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.","aliases":["BIT-silverstripe-2020-6165","GHSA-589q-75r3-mfq4"],"modified":"2026-04-12T00:02:10.392384Z","published":"2020-07-15T21:15:13.583Z","references":[{"type":"ADVISORY","url":"https://www.silverstripe.org/download/security-releases/CVE-2020-6165"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/silverstripe/silverstripe-cms","events":[{"introduced":"d8915115f837633fb9183bbd66b05a2238606e19"},{"fixed":"dd0163ae000a85e6bf76b96b76c261a211b05047"},{"introduced":"1b50d59aba157eb05f102a19e41a74a94a2522f4"},{"fixed":"a5444c3eeba6b6288b246e0e7e65594f2b98c18b"}],"database_specific":{"cpe":"cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"3.2.0"},{"fixed":"3.2.4"},{"introduced":"3.2.5"},{"fixed":"3.3.0"}]}}],"versions":["3.2.0","3.2.0-rc2","3.2.1","3.2.1-rc1","3.2.1-rc2","3.2.4-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-6165.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/silverstripe/silverstripe-framework","events":[{"introduced":"f75094abcd8ff29ece4bca05a297fda106e3ba89"},{"fixed":"10c32aaa28ceff3f90cd72e3f223b2d84dbeee28"}],"database_specific":{"cpe":"cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"4.5.0"},{"fixed":"4.5.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-6165.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}