GHSA-xmp3-7745-g4vj: ezsystems/ez-support-tools Failing access control in system info view

May 15, 2024

This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The “Setup / System info” policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo(). The fix ensures that the access policy is correctly verified.

References

developers.ibexa.co/security-advisories/ibexa-sa-2020-007-failing-access-control-in-system-info-view
github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ez-support-tools/2020-12-01-1.yaml
github.com/advisories/GHSA-xmp3-7745-g4vj
github.com/ezsystems/ez-support-tools

Detect and mitigate GHSA-xmp3-7745-g4vj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →