CVE-2024-29885: Silverstripe Reports are still accessible even when `canView()` returns false
Reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the canView() method for that report returns false.
References
- github.com/advisories/GHSA-89q6-98xx-4ffw
- github.com/silverstripe/silverstripe-reports
- github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
- github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
- nvd.nist.gov/vuln/detail/CVE-2024-29885
- www.silverstripe.org/download/security-releases/cve-2024-29885
Detect and mitigate CVE-2024-29885 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →