GHSA-89q6-98xx-4ffw

Source

https://github.com/advisories/GHSA-89q6-98xx-4ffw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-89q6-98xx-4ffw/GHSA-89q6-98xx-4ffw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-89q6-98xx-4ffw

Aliases

CVE-2024-29885

Published

2024-07-17T14:26:31Z

Modified

2024-07-22T17:00:44.077026Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Silverstripe Reports are still accessible even when `canView()` returns false

Details

Reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the canView() method for that report returns false.

References

https://www.silverstripe.org/download/security-releases/cve-2024-29885

Database specific

{
    "severity": "MODERATE",
    "nvd_published_at": "2024-07-17T20:15:05Z",
    "github_reviewed_at": "2024-07-17T14:26:31Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-863"
    ]
}

References

Affected packages

Packagist / silverstripe/reports

Package

Name: silverstripe/reports
Purl: pkg:composer/silverstripe/reports

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.3

Affected versions

1.*

1.1.0

3.*

3.2.0-beta1

3.2.0-beta2

3.2.0-rc1

3.2.0-rc2

3.2.0

3.2.1-rc1

3.2.1-rc2

3.2.1

3.2.2-rc1

3.2.2-rc2

3.2.2

3.2.3-rc1

3.2.3-rc2

3.2.3

3.2.4-rc1

3.2.4

3.2.5-rc1

3.2.5-rc2

3.2.5

3.2.6

3.3.0-beta1

3.3.0-rc1

3.3.0-rc2

3.3.0-rc3

3.3.0

3.3.1-rc1

3.3.1-rc2

3.3.1

3.3.2-rc1

3.3.2

3.3.3-rc1

3.3.3-rc2

3.3.3

3.3.4

3.4.0-rc1

3.4.0

3.4.1-rc1

3.4.1-rc2

3.4.1

3.4.2

3.4.3-rc1

3.4.3

3.4.4-rc1

3.4.4

3.4.5-rc1

3.4.5

3.4.6-rc1

3.4.6-rc2

3.4.6

3.5.0-rc1

3.5.0-rc2

3.5.0-rc3

3.5.0

3.5.1-rc1

3.5.1-rc2

3.5.1

3.5.2-rc1

3.5.2

3.5.3-rc1

3.5.3

3.5.4-rc1

3.5.4

3.5.5-beta1

3.5.5-beta2

3.5.5

3.5.6-rc1

3.5.6

3.5.7

3.5.8-rc1

3.5.8

3.6.0-beta1

3.6.0-beta2

3.6.0-rc1

3.6.0

3.6.1-alpha1

3.6.1-alpha2

3.6.1

3.6.2-beta1

3.6.2-beta2

3.6.2

3.6.3-rc2

3.6.3

3.6.4

3.6.5

3.6.6-rc1

3.6.6

3.6.7

3.7.0

3.7.1-rc1

3.7.1

3.7.2

3.7.3

4.*

4.0.0-alpha1

4.0.0-alpha2

4.0.0-alpha3

4.0.0-alpha4

4.0.0-alpha5

4.0.0-alpha6

4.0.0-alpha7

4.0.0-beta1

4.0.0-beta2

4.0.0-beta3

4.0.0-beta4

4.0.0-rc1

4.0.0-rc2

4.0.0-rc3

4.0.0

4.0.1-rc1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.1.0-rc1

4.1.0-rc2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.2.0-beta1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.4.0-rc1

4.4.0

4.4.1

4.5.0-alpha1

4.5.0-rc1

4.5.0-rc2

4.5.0

4.5.1

4.6.0-beta1

4.6.0-rc1

4.6.0

4.7.0-beta1

4.7.0-rc1

4.7.0

4.8.0-beta1

4.8.0-rc1

4.8.0

4.9.0-beta1

4.9.0-rc1

4.9.0

4.10.0-beta1

4.10.0-rc1

4.10.0

4.11.0-beta1

4.11.0-rc1

4.11.0

4.12.0-beta1

4.12.0-rc1

4.12.0

4.13.0-beta1

4.13.0-rc1

4.13.0

4.13.1

4.13.2

4.13.3

4.13.4

4.13.5

5.*

5.0.0-alpha1

5.0.0-beta1

5.0.0-rc1

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0-beta1

5.1.0-rc1

5.1.0

5.1.1

5.2.0-beta1

5.2.0-rc1

5.2.0

5.2.1

5.2.2