GHSA-52cx-hpc5-cxwc: silverstripe/framework missing ACL on reports
The SS_Report, and the reports CMS section only checks canView()
when listing the reports that can be viewed by the current user.
It does not (and should) perform canView
checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.
References
Detect and mitigate GHSA-52cx-hpc5-cxwc with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →