CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2015-2204

HIGH
7.5
CVSS Severity Score
EPSS Score0.0970%
EPSS Percentile36.43th
Published2018年2月1日
Last Modified2024年11月21日

Vulnerability Description

Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.

Affected Platforms (CPE)

📦
Evergreen Ils

Evergreen

< 2.5.9
📦
Evergreen Ils

Evergreen

>= 2.6.0 and < 2.6.7
📦
Evergreen Ils

Evergreen

>= 2.7.0 and < 2.7.4

References & Advisories

🔗 http://evergreen-ils.org/downloads/ChangeLog-2.5.8-2.5.9
🔗 http://evergreen-ils.org/downloads/ChangeLog-2.6.6-2.6.7
🔗 http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4
🔗 http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/
🔗 http://git.evergreen-ils.org/?p=Evergreen.git%3Ba=commit%3Bh=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
🔗 http://www.openwall.com/lists/oss-security/2015/03/04/3
🔗 http://www.securityfocus.com/bid/72889
🔗 https://bugs.launchpad.net/evergreen/+bug/1424755

相關漏洞威脅

CVE-2013-74356.5

The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtai...

CVE-2015-22036.5

Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings histo...

CVE-2014-16265.0

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and...

CVE-2015-098710.0

Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password tra...