GHSA-xmp3-7745-g4vj – ezsystems/ez-support-tools

Package

Manager: composer
Name: ezsystems/ez-support-tools
Vulnerable Version: >=2.2.0 <2.2.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

ezsystems/ez-support-tools Failing access control in system info view This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo(). The fix ensures that the access policy is correctly verified.

Metadata

Created: 2024-05-15T21:07:06Z
Modified: 2024-05-15T21:07:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-xmp3-7745-g4vj/GHSA-xmp3-7745-g4vj.json
CWE IDs: []
Alternative ID: N/A
Finding: F310
Auto approve: 1