CVE-2024-29885 Reports are still accessible even when canView is set to false
- Severity:
- Medium (?)
- Identifier:
- CVE-2024-29885
- Versions Affected:
- silverstripe/reports: <5.2.3
- Versions Fixed:
- silverstripe/reports: 5.2.3
- Release Date:
- 2024-07-17
The `Report` class has a `canView` method. If that method is configured to return `false`, the current user should not be able to view the report. While the report list will omit any `canView` `false` reports, those reports can still access them directly assuming the user has the `CMS_ACCESS_ReportAdmin` permission.
After patching the `canView` check will be properly respected
Base CVSS: 4.3
Reported by: Nate Devereux and Fiona Black from Silverstripe Ltd.
