silverstripe/framework missing ACL on reports

2024-05-2718:44:47

CWE-862

GitHub Advisory Database

github.com

ss_report

reports

cms

canview()

access control

security

AI Score

Confidence

High

JSON

The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user.

It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

Affected configurations

Vulners

Node

silverstripeframeworkRange3.4.0-rc1–3.4.1

silverstripeframeworkRange3.3.2-rc1–3.3.3

silverstripeframeworkRange3.2.4-rc1–3.2.5

silverstripeframeworkRange3.1.19-rc1–3.1.20

VendorProductVersionCPE
silverstripeframework*cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
silverstripe	framework	*	cpe:2.3:a:silverstripe:framework::::::::

References

github.com/advisories/GHSA-52cx-hpc5-cxwc

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-012-1.yaml

www.silverstripe.org/download/security-releases/ss-2016-012

AI Score

Confidence

High

JSON