Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-29885

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-17 Jul, 2024 | 19:35
Updated At-02 Aug, 2024 | 01:17
Rejected At-
Credits

Reports are still accessible even when `canView()` returns false in silverstripe/reports

silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:17 Jul, 2024 | 19:35
Updated At:02 Aug, 2024 | 01:17
Rejected At:
▼CVE Numbering Authority (CNA)
Reports are still accessible even when `canView()` returns false in silverstripe/reports

silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Products
Vendor
Silverstripesilverstripe
Product
silverstripe-reports
Versions
Affected
  • < 5.2.3
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
x_refsource_CONFIRM
https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
x_refsource_MISC
https://www.silverstripe.org/download/security-releases/cve-2024-29885
x_refsource_MISC
Hyperlink: https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
Resource:
x_refsource_MISC
Hyperlink: https://www.silverstripe.org/download/security-releases/cve-2024-29885
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
x_refsource_CONFIRM
x_transferred
https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
x_refsource_MISC
x_transferred
https://www.silverstripe.org/download/security-releases/cve-2024-29885
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.silverstripe.org/download/security-releases/cve-2024-29885
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:17 Jul, 2024 | 20:15
Updated At:18 Jul, 2024 | 12:28

silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. This issue has been addressed in version 5.2.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-200Secondarysecurity-advisories@github.com
CWE ID: CWE-200
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4security-advisories@github.com
N/A
https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffwsecurity-advisories@github.com
N/A
https://www.silverstripe.org/download/security-releases/cve-2024-29885security-advisories@github.com
N/A
Hyperlink: https://github.com/silverstripe/silverstripe-reports/commit/0351106c18ad4246d983b5f4e082c09c382121f4
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/silverstripe/silverstripe-reports/security/advisories/GHSA-89q6-98xx-4ffw
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://www.silverstripe.org/download/security-releases/cve-2024-29885
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

409Records found
CVE-2022-32218
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.42% / 62.08%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 18:28
Updated-22 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.

Action-Not Available
Vendor-rocket.chatn/a
Product-rocket.chatRocket.chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-203
Observable Discrepancy
CVE-2022-31674
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.42%
||
7 Day CHG~0.00%
Published-09 Aug, 2022 | 20:19
Updated-27 Aug, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-vrealize_operationsVMware vRealize Operations
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2022-32229
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 63.89%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 18:28
Updated-22 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection.

Action-Not Available
Vendor-rocket.chatn/a
Product-rocket.chatRocket.Chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-32742
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 68.93%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 00:00
Updated-03 Aug, 2024 | 07:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).

Action-Not Available
Vendor-n/aSamba
Product-sambasamba
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-31032
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 57.43%
||
7 Day CHG~0.00%
Published-29 Jun, 2022 | 17:45
Updated-23 Apr, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Resources of private projects can be exposed in Tuleap

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.58 authorizations are not properly verified when creating projects or trackers from projects marked as templates. Users can get access to information in those template projects because the permissions model is not properly enforced. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-31095
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.91%
||
7 Day CHG~0.00%
Published-21 Jun, 2022 | 19:00
Updated-23 Apr, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in discourse-chat

discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse-chatdiscourse-chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2022-29467
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.89%
||
7 Day CHG~0.00%
Published-04 Jul, 2022 | 06:56
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-20377
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.61%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 16:31
Updated-21 Nov, 2025 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Unified Intelligence Center API Information Disclosure Vulnerability

A vulnerability in the API subsystem of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of requests to certain API endpoints. An attacker could exploit this vulnerability by sending a valid request to a specific API endpoint within the affected system. A successful exploit could allow a low-privileged user to view sensitive information on the affected system that should be restricted. To exploit this vulnerability, the attacker must have valid user credentials on the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-Cisco Packaged Contact Center EnterpriseCisco Unified Contact Center EnterpriseCisco Unified Contact Center ExpressCisco Unified Intelligence Center
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-15520
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.39%
||
7 Day CHG~0.00%
Published-13 Feb, 2026 | 06:00
Updated-13 Feb, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RegistrationMagic <= 6.0.7.2 - Subscriber+ Sensitive Data Disclosure

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.

Action-Not Available
Vendor-Unknown
Product-RegistrationMagic
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
  • Previous
  • 1
  • 2
  • ...
  • 7
  • 8
  • 9
  • Next
Details not found