Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14bXAzLTc3NDUtZzR2as4AA8He
ezsystems/ez-support-tools Failing access control in system info view
This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo(). The fix ensures that the access policy is correctly verified.
Permalink: https://github.com/advisories/GHSA-xmp3-7745-g4vjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14bXAzLTc3NDUtZzR2as4AA8He
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-xmp3-7745-g4vj
References:
- https://developers.ibexa.co/security-advisories/ibexa-sa-2020-007-failing-access-control-in-system-info-view
- https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ez-support-tools/2020-12-01-1.yaml
- https://github.com/advisories/GHSA-xmp3-7745-g4vj
Affected Packages
packagist:ezsystems/ez-support-tools
Dependent packages: 20Dependent repositories: 86
Downloads: 922,523 total
Affected Version Ranges: >= 2.2.0, < 2.2.3
Fixed in: 2.2.3
All affected versions: 2.2.0, 2.2.1, 2.2.2
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12