SS-2016-012: Missing ACL on reports

August 15, 2016

The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user. It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

References

www.silverstripe.org/download/security-releases/ss-2016-012/

Code Behaviors & Features

Detect and mitigate SS-2016-012 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →