Access Restriction Bypass Vulnerability in Evergreen

Access Restriction Bypass Vulnerability in Evergreen

CVE-2015-2204 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.

Learn more about our Web Application Penetration Testing UK.