CVE-2024-29885 – This vulnerability allows users with access to ... (How to Fix)

📋 TL;DR

This vulnerability allows users with access to the reports admin section in Silverstripe to bypass authorization controls and view reports they shouldn't have permission to access. By using direct URLs to specific reports, users can circumvent the canView() method that should restrict access. This affects all Silverstripe installations using the vulnerable reports module.

💻 Affected Systems

Products:

silverstripe/reports module

Versions: All versions before 5.2.3

Operating Systems: All operating systems running Silverstripe

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where the reports module is enabled and users have access to the reports admin section.

📦 What is this software?

Reports by Silverstripe

View all CVEs affecting Reports →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users access sensitive business reports containing confidential data, leading to data exposure and potential regulatory compliance violations.

🟠

Likely Case

Users with limited report access can view additional reports beyond their intended permissions, potentially exposing sensitive operational or customer data.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to authorized users gaining access to additional reports they shouldn't see.

🌐 Internet-Facing: MEDIUM - While exploitation requires authenticated access, internet-facing admin interfaces increase attack surface.

🏢 Internal Only: MEDIUM - Internal users with any report access can potentially view all reports, creating insider threat risks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the reports admin section and knowledge of report URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.3

Vendor Advisory: https://www.silverstripe.org/download/security-releases/cve-2024-29885

Restart Required: Yes

Instructions:

1. Update silverstripe/reports module to version 5.2.3 via composer: composer require silverstripe/reports:5.2.3
2. Clear Silverstripe cache
3. Restart web server
4. Verify reports authorization is working correctly

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Restrict access to the reports admin section to only essential users
Implement network-level access controls to limit who can reach the Silverstripe admin interface

🔍 How to Verify

Check if Vulnerable:

Check composer.json or installed packages for silverstripe/reports version below 5.2.3

Check Version:

composer show silverstripe/reports | grep versions

Verify Fix Applied:

Verify silverstripe/reports version is 5.2.3 or higher and test that users cannot access reports where canView() returns false

📡 Detection & Monitoring

Log Indicators:

Unusual report access patterns from users
Access to report URLs that should be restricted

Network Indicators:

Multiple requests to report endpoints from single users in short timeframes

SIEM Query:

source="webserver" AND (uri_path="/admin/reports/" OR uri_path CONTAINS "/admin/reports/") AND status=200 AND user_agent NOT IN ["expected_user_agents"]

📊 Metadata

CVE ID: CVE-2024-29885

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: July 17, 2024

Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29885, you might also want to check these: