The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.
References
Link | Resource |
---|---|
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9 | Issue Tracking Release Notes |
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7 | Issue Tracking Release Notes |
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4 | Issue Tracking Release Notes |
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ | Issue Tracking Release Notes |
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063 | |
http://www.openwall.com/lists/oss-security/2015/03/04/3 | Mailing List Issue Tracking Third Party Advisory |
https://bugs.launchpad.net/evergreen/+bug/1206589 | Issue Tracking Patch |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2018-02-01 17:29
Updated : 2024-02-04 19:46
NVD link : CVE-2013-7435
Mitre link : CVE-2013-7435
CVE.ORG link : CVE-2013-7435
JSON object : View
Products Affected
evergreen-ils
- evergreen
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor