Headline
CVE-2023-3819: Confidential information provided to user with no permissions (#15530) · pimcore/pimcore@0237527
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4.
Commit
Permalink
Browse files
Browse the repository at this point in the history
Confidential information provided to user with no permissions (#15530)
* Fix: check user permissions
* some optimizations
* Restrict access to /admin/index/statics
* remove unused
Co-authored-by: dvesh3 [email protected]
- Loading branch information
Showing 4 changed files with 12 additions and 1 deletion.
- ClassController.php
- IndexController.php
- SettingsController.php
- startup.js
3 changes: 3 additions & 0 deletions bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php
Expand Up
@@ -91,6 +91,9 @@ public function getAssetTypesAction(Request $request)
*/
public function getTreeAction(Request $request)
{
// we need to check objects permission for listing in pimcore.model.objecttypes ext model
$this->checkPermission(‘objects’);
$defaultIcon = '/bundles/pimcoreadmin/img/flat-color-icons/class.svg’;
$classesList = new DataObject\ClassDefinition\Listing();
Expand Down
4 changes: 4 additions & 0 deletions bundles/AdminBundle/Controller/Admin/IndexController.php
Expand Up
@@ -138,6 +138,10 @@ public function indexAction(
*/
public function statisticsAction(Request $request, Connection $db, KernelInterface $kernel)
{
if (!$request->isXmlHttpRequest()) {
throw $this->createAccessDeniedHttpException();
}
// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES
Expand Down
3 changes: 3 additions & 0 deletions bundles/AdminBundle/Controller/Admin/SettingsController.php
Expand Up
@@ -1069,6 +1069,9 @@ public function glossaryAction(Request $request)
*/
public function getAvailableSitesAction(Request $request)
{
// we need to check documents permission for listing purposes in sites ext model & url-slugs
$this->checkPermission(‘documents’);
$excludeMainSite = $request->get(‘excludeMainSite’);
$sitesList = new Model\Site\Listing();
Expand Down
3 changes: 2 additions & 1 deletion bundles/AdminBundle/Resources/public/js/pimcore/startup.js
Expand Up
@@ -571,8 +571,9 @@ Ext.onReady(function () {
}
if (data.pushStatistics) {
var request = new XMLHttpRequest();
const request = new XMLHttpRequest();
request.open('GET’, Routing.generate(‘pimcore_admin_index_statistics’));
request.setRequestHeader('X-Requested-With’, ‘XMLHttpRequest’);
request.onload = function () {
if (this.status >= 200 && this.status < 400) {
Expand Down
0 comments on commit 0237527
Please sign in to comment.
Related news
### Impact Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc. ### Patches Update to version 10.6.4 or apply this patch manually https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch manually. ### References https://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c/