CVE-2024-29885

EPSS 0.4%
Veröffentlicht 17.07.2024 20:15:05
Zuletzt bearbeitet 04.09.2025 14:56:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Reports are still accessible even when `canView()` returns false in silverstripe/reports

silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Silverstripe ≫ Reports SwPlatformsilverstripe Version < 5.2.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.32

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4

Patch

https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw

Vendor Advisory

https://www.silverstripe.org/download/security-releases/cve-2024-29885

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-29885

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29885

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29885

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-29885