GHSA-52cx-hpc5-cxwc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-52cx-hpc5-cxwc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-52cx-hpc5-cxwc/GHSA-52cx-hpc5-cxwc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-52cx-hpc5-cxwc
- Published
- 2024-05-27T18:44:47Z
- Modified
- 2024-12-02T05:55:38.158009Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- silverstripe/framework missing ACL on reports
- Details
-
The SS_Report, and the reports CMS section only checks
canView()when listing the reports that can be viewed by the current user.It does not (and should) perform
canViewchecks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-862" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-27T18:44:47Z" }- References
Affected packages
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework