CVE-2024-29885 Reports are still accessible even when canView is set to false

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2024-29885
Versions Affected:: silverstripe/reports: <5.2.3
Versions Fixed:: silverstripe/reports: 5.2.3

The `Report` class has a `canView` method. If that method is configured to return `false`, the current user should not be able to view the report. While the report list will omit any `canView` `false` reports, those reports can still access them directly assuming the user has the `CMS_ACCESS_ReportAdmin` permission.

After patching the `canView` check will be properly respected

Base CVSS: 4.3
Reported by: Nate Devereux and Fiona Black from Silverstripe Ltd.

References

Reports are still accessible even when `canView()` returns false