Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04OXE2LTk4eHgtNGZmd84AA9-e

Silverstripe Reports are still accessible even when `canView()` returns false

Reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the canView() method for that report returns false.

References

https://www.silverstripe.org/download/security-releases/cve-2024-29885

Permalink: https://github.com/advisories/GHSA-89q6-98xx-4ffw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04OXE2LTk4eHgtNGZmd84AA9-e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-89q6-98xx-4ffw, CVE-2024-29885
References:

Repository: https://github.com/silverstripe/silverstripe-reports
Blast Radius: 10.8

Affected Packages

packagist:silverstripe/reports

Dependent packages: 31
Dependent repositories: 321
Downloads: 2,514,270 total
Affected Version Ranges: < 5.2.3
Fixed in: 5.2.3
All affected versions: 1.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.13.5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2
All unaffected versions: 5.2.3, 5.3.0, 5.3.1