silverstripe/framework missing ACL on reports

The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user.

It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-52cx-hpc5-cxwc
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.1.19-rc1	3.1.20
silverstripe / framework	3.2.4-rc1	3.2.5
silverstripe / framework	3.3.2-rc1	3.3.3
silverstripe / framework	3.4.0-rc1	3.4.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-012-1.yaml
https://www.silverstripe.org/download/security-releases/ss-2016-012

Vulnerability Database

silverstripe/framework missing ACL on reports