CyberSec.Space Logo
Back to CVE Browser

CVE-2015-2204

HIGH
7.5
CVSS Severity Score
EPSS Score0.0970%
EPSS Percentile36.43th
PublishedFeb 1, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.

Affected Platforms (CPE)

πŸ“¦
Evergreen Ils

Evergreen

< 2.5.9
πŸ“¦
Evergreen Ils

Evergreen

>= 2.6.0 and < 2.6.7
πŸ“¦
Evergreen Ils

Evergreen

>= 2.7.0 and < 2.7.4

References & Advisories

πŸ”— http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
πŸ”— http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
πŸ”— http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
πŸ”— http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
πŸ”— http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
πŸ”— http://www.openwall.com/lists/oss-security/2015/03/04/3
πŸ”— http://www.securityfocus.com/bid/72889
πŸ”— https://bugs.launchpad.net/evergreen/+bug/1424755

Related Vulnerabilities

CVE-2013-74356.5

The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtai...

CVE-2015-22036.5

Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings histo...

CVE-2014-16265.0

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and...

CVE-2015-304810.0

Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allows attackers to ex...