CVE-2024-29885

2024-07-1720:15:05

CWE-200

GitHub_M

web.nvd.nist.gov

silverstripe

reports

api

vulnerability

5.2.3

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.5

Confidence

High

EPSS

Percentile

16.0%

JSON

silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the canView() method for that report returns false. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Node

silverstriperegistryRange<5.2.3silverstripe

VendorProductVersionCPE
silverstriperegistry*cpe:2.3:a:silverstripe:registry:*:*:*:*:*:silverstripe:*:*

Vendor	Product	Version	CPE
silverstripe	registry	*	cpe:2.3:a:silverstripe:registry::::::silverstripe::*

CNA Affected

[
  {
    "vendor": "silverstripe",
    "product": "silverstripe-reports",
    "versions": [
      {
        "version": "< 5.2.3",
        "status": "affected"
      }
    ]
  }
]