Evergreen prior to 2.5.9, 2.6.x prior to 2.6.7, and 2.7.x prior to 2.7.4 allows remote malicious users to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
evergreen-ils evergreen |