GitHub Advisory DatabaseGHSA-89Q6-98XX-4FFWSilverstripe Reports are still accessible even when `canView()` returns false
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
16.0%
Reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the canView() method for that report returns false.
References
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| silverstripe | registry | * | cpe:2.3:a:silverstripe:registry:*:*:*:*:*:silverstripe:*:* |
References
github.com/advisories/GHSA-89q6-98xx-4ffw
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/reports/CVE-2024-29885.yaml
github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
nvd.nist.gov/vuln/detail/CVE-2024-29885
www.silverstripe.org/download/security-releases/cve-2024-29885
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
16.0%