Описание
silverstripe/framework missing ACL on reports
The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user.
It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.
Пакеты
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.1.19-rc1, < 3.1.20
3.1.20
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.2.4-rc1, < 3.2.5
3.2.5
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.3.2-rc1, < 3.3.3
3.3.3
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.4.0-rc1, < 3.4.1
3.4.1
4.3 Medium
CVSS3
Дефекты
CWE-862
4.3 Medium
CVSS3
Дефекты
CWE-862