GHSA-52cx-hpc5-cxwc: silverstripe/framework missing ACL on reports

May 27, 2024

The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user.

It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-012-1.yaml
github.com/advisories/GHSA-52cx-hpc5-cxwc
github.com/silverstripe/silverstripe-framework
www.silverstripe.org/download/security-releases/ss-2016-012

Code Behaviors & Features

Detect and mitigate GHSA-52cx-hpc5-cxwc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →