silverstripe/framework missing ACL on reports · GHSA-52cx-hpc5-cxwc · GitHub Advisory Database · GitHub

silverstripe/framework missing ACL on reports

Moderate severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

Package

silverstripe/framework (Composer)

Affected versions

>= 3.1.19-rc1, < 3.1.20

>= 3.2.4-rc1, < 3.2.5

>= 3.3.2-rc1, < 3.3.3

>= 3.4.0-rc1, < 3.4.1

Patched versions

3.1.20

3.2.5

3.3.3

3.4.1

Description

The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user.

It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

References

Published to the GitHub Advisory Database May 27, 2024

Reviewed May 27, 2024

Last updated May 27, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N