GHSA-xmp3-7745-g4vj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xmp3-7745-g4vj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-xmp3-7745-g4vj/GHSA-xmp3-7745-g4vj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xmp3-7745-g4vj
- Published
- 2024-05-15T21:07:06Z
- Modified
- 2024-11-29T05:42:51.337116Z
- Summary
- ezsystems/ez-support-tools Failing access control in system info view
- Details
-
This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo(). The fix ensures that the access policy is correctly verified.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-15T21:07:06Z" }- References
Affected packages
Packagist / ezsystems/ez-support-tools
Package
- Name
- ezsystems/ez-support-tools
- Purl
- pkg:composer/ezsystems/ez-support-tools