Description
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml.
References (7)
Core 7
Core References
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
Issue Tracking, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/03/04/3
Issue Tracking, Patch x_refsource_confirm
https://bugs.launchpad.net/evergreen/+bug/1206589
Various Sources x_refsource_confirm
http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=ac588e879cf73ff1b65617e0bd273361d3529063
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
Issue Tracking, Release Notes x_refsource_confirm
http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
Scores
CVSS v3
6.5
EPSS
0.0220
EPSS Percentile
80.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
evergreen-ils/evergreen
< 2.5.9
Published
Feb 01, 2018
Tracked Since
Feb 18, 2026